b"        THE DRUG ENFORCEMENT ADMINISTRATION\xe2\x80\x99S\n      MANAGEMENT OF ENTERPRISE ARCHITECTURE AND\n         INFORMATION TECHNOLOGY INVESTMENTS\n\n\n                       EXECUTIVE SUMMARY\n\n\n       To properly manage its IT investments, the DEA is in the process\nof developing an Enterprise Architecture (EA) and an Information\nTechnology Investment Management (ITIM) process. An EA\nestablishes an agencywide roadmap to achieve an agency\xe2\x80\x99s mission\nthrough optimal performance of its core business processes within an\nefficient IT environment. ITIM involves implementing processes such\nas: identifying existing IT systems and projects, identifying the\nbusiness needs for the projects, tracking and overseeing projects\xe2\x80\x99\ncosts and schedules, and selecting new projects rationally.\nGovernmentwide reviews by the Government Accountability Office\n(GAO) and audits by the Office of the Inspector General (OIG)\ncovering IT management in the DEA found weaknesses in aspects of\nEA, ITIM, and information security. Because of the importance of the\nDEA\xe2\x80\x99s management of its 38 IT systems, as listed in its current EA, we\nperformed this audit to determine if the DEA is effectively managing its\nEA and its IT investments.\n\n      To perform the audit, we interviewed officials from the DEA, the\nDOJ, the GAO, and Bearing Point \xe2\x80\x93 the DEA contractor developing the\nEA. Additionally, we reviewed documents related to EA and IT\nmanagement policies and procedures, project management guidance,\nstrategic plans, IT project proposals, budgets, and organizational\nstructures. To determine whether the DEA is effectively managing its\nEA, we requested that the DEA complete a survey originally developed\nby the GAO, to identify which core elements in the EA Management\nFramework have been implemented. We also used the GAO\xe2\x80\x99s ITIM\nFramework (Framework) and the associated assessment method to\nevaluate the management of the DEA\xe2\x80\x99s investments. As part of the\nFramework\xe2\x80\x99s assessment method, the DEA completed a\nself-assessment of its IT investment management activities.\n\n     The Information Technology Management Reform Act of 1996\n(known as the Clinger-Cohen Act) requires the head of each federal\nagency to implement a process for maximizing the value of the\nagency\xe2\x80\x99s IT investments and for assessing and managing the risks of\n\n                                  -i-\n\x0cits acquisitions. A key goal of the Clinger-Cohen Act is for agencies to\nhave processes in place to ensure that IT projects are being\nimplemented at acceptable costs and within reasonable timeframes,\nand that the projects are contributing to tangible, observable\nimprovements in mission performance. In addition, the\nClinger-Cohen Act requires the head of each agency to develop,\nmaintain, and facilitate the implementation of architectures as a\nmeans of integrating business processes and agency goals with IT.\nThe Office of Management and Budget (OMB) Circular A-130 requires\neach federal agency to establish and maintain a capital planning and\ninvestment control process for IT.\n\n       The DEA is effectively pursuing completion of both its EA and\nITIM. Although the EA is still being developed and the DEA has not\nestablished a target date for completing its ITIM processes, the DEA is\nusing many sound practices from both. The DEA will be more fully\neffective in managing its EA and IT investments once its EA and ITIM\nprocesses are completed and mature.\n\nEnterprise Architecture (EA)\n\n      If completed in September 2004 as scheduled, the DEA EA\nshould provide a blueprint that will enable the DEA to more effectively\nand efficiently manage its current and future IT infrastructure and\napplications. The DEA has completed much of its EA, with the\nexception of developing a target architecture and a transition plan to\naccomplish the target architecture. To date, the DEA has established a\nfoundation consistent with the EA Management Framework to build its\nEA program. The DEA has assigned roles and responsibilities for\ndeveloping the EA, committed resources, and established plans for\ncompleting the remaining stages. In addition, the DEA has developed\na general, high-level description of its existing, or \xe2\x80\x9cas is,\xe2\x80\x9d architecture.\nHowever, without a completed EA, any organization assumes some\ndegree of risk that it might invest in IT that is duplicative, not well-\nintegrated, costly, or not supportive of the agency\xe2\x80\x99s mission. In\ncontinuing to develop its EA, the DEA is taking steps to mitigate such\nrisks. By completing its EA, the DEA will minimize the risks even\nfurther and provide a realistic vision of its future IT requirements.\n\n      As of April 2004, the DEA had completed nearly 90 percent of\nthe EA Management Framework criteria for meeting the second of five\nlevels of maturity. The DEA estimates that it will cost approximately\n$2.7 million to complete the EA. In FY 2002, the DEA spent $667,000\nfrom its base appropriations for EA development. In FY 2003 the DEA\n\n                                   - ii -\n\x0crequested an additional $400,000 to continue development, but the\nfunding was not approved. According to the DEA\xe2\x80\x99s EA Chief Architect,\napproval of the requested amount would have allowed the DEA to\ncomplete a detailed description of the existing architecture more\nquickly.\n\n      The DEA has allocated 4.25 full time equivalent staff \xe2\x80\x94\nbut assigned 3.25 full time equivalent staff (.5 managers, .5 staff\nmembers, and 2.25 contractors) \xe2\x80\x94 in support of EA efforts and\ncompletion of the current EA. The Deputy Assistant Administrator of\nthe DEA\xe2\x80\x99s Office of Information Systems, which is the office tasked\nwith developing the DEA\xe2\x80\x99s EA, is currently serving as the Chairman of\nthe Department\xe2\x80\x99s EA Committee. The Chief Architect, who established\nthe foundation for the DEA\xe2\x80\x99s EA, had transferred to the DEA from the\nDepartment\xe2\x80\x99s Justice Management Division where she had dealt with\ntechnology issues. The DEA\xe2\x80\x99s Program Office has two senior analysts\nand one junior analyst assigned to work on completing the EA.\nAdditionally, the DEA hired a contractor in October 2003 to aid in the\ncompletion of the EA.\n\n      In addition to funding and human resources, the DEA has\nacquired tools and technology to support its EA activities. The DEA\nuses the Popkin System Architect (Popkin) as its automated EA tool.\nAccording to the Chief Architect, one reason the DEA chose Popkin is\nthat the Department is also using Popkin, and the future integration of\nthe DEA\xe2\x80\x99s EA with the Department\xe2\x80\x99s EA may be more easily achieved.\nBecause the DEA has just recently begun using the Popkin tool, we did\nnot assess its effectiveness in clearly and completely documenting the\nDEA\xe2\x80\x99s EA, but we agree that using the same tool as the Department\nshould aid in the future integration of the agency\xe2\x80\x99s EA with the\nDepartment\xe2\x80\x99s EA.\n\n      The DEA has established three governing committees, or\ninvestment boards: 1) the Executive Review Board, 2) the Business\nCouncil, and 3) the Compliance Council. Together, the three\ngoverning committees are responsible for ensuring that the DEA\xe2\x80\x99s EA\nmeets all federal and Departmental requirements.\n\n      The Executive Review Board is responsible for providing\nleadership to implement a managed IT capital planning and investment\ncontrol process. The IT capital planning and investment control\nprocess includes the development and maintenance of an agencywide\nEA.\n\n\n                                 - iii -\n\x0c      The Business Council\xe2\x80\x99s primary responsibility is to ensure that\nprojects and investments recommended by program managers are\nconsistent with the DEA\xe2\x80\x99s mission, strategic plan, capital planning\ngoals, EA, and security policy. Business Council members function as\nthe working level experts for the ITIM process by providing business\nexpertise specific to their respective business unit.\n\n      The Compliance Council is responsible for evaluating IT\ninvestments and the DEA\xe2\x80\x99s EA to ensure compliance with legislative\nregulations and DEA policy. The Compliance Council consists of\nmembers whose day-to-day responsibilities involve a compliance area.\nThe members work to ensure compliance with such areas as the\nFederal Enterprise Architecture, the Government Performance and\nResults Act, and the Government Information Security Reform Act.\nThe Chief of the Strategic Business Management Section, Office of\nInformation Systems, chairs this committee.\n\n      The EA Management Framework states that EA development and\nmaintenance should be managed as a formal program. Accordingly,\nthe DEA reorganized its Office of Information Systems to include a\nStrategic Business Analysis Section as the EA Program Office\n(Program Office). The Program Office is responsible for the\ndevelopment and maintenance of the DEA EA. To accomplish its\nresponsibility, the Program Office coordinates with offices throughout\nthe DEA as well as external IT organizations. The Program Office\nassists DEA customers in developing their concepts and plans for the\napplication of IT to their business processes, and also assists\ncustomers with the ITIM process.\n\n     The DEA\xe2\x80\x99s methodology to develop its EA is a three-phase\napproach.\n\nPhase 1. Includes documenting, at a high-level, what currently exists\nwithin the DEA in terms of business areas, applications, data, and\ntechnology.\n\nPhase 2. Includes 1) providing more detail to the current\narchitecture, 2) goals and objectives stated in the Department and the\nDEA strategic plans, 3) performance measures, 4) aligning the DEA\xe2\x80\x99s\narchitecture with the Federal Enterprise Architecture reference models,\nand 5) aligning the architecture with the DEA\xe2\x80\x99s capital planning\nprocess.\n\n\n\n                                 - iv -\n\x0cPhase 3. Includes the establishment of the target architecture,\nincluding security compliance and the development of a transition\nplan.\n\n\n       The DEA completed Phase 1 of the EA development in\nSeptember 2002. In February 2003, the DEA\xe2\x80\x99s CIO submitted the\nhigh-level description of the DEA\xe2\x80\x99s current EA to the three DEA IT\ngoverning boards for inclusion in the budget process. The DEA stated\nthat its contractors completed Phase 2, and as of February 2004 the\nDEA was in the process of reviewing the contractor\xe2\x80\x99s work for\ncompliance with the Federal Enterprise Architecture Framework\nrequirements. The DEA has not yet begun Phase 3 of the EA project.\n\n      The DEA has not yet established measures of EA progress,\nquality, compliance, and return on investment, which are necessary to\nensure that the EA meets the targeted milestones and complies with\nthe necessary regulatory requirements. Measuring return on\ninvestment would tell the DEA what benefits are realized by the\ndevelopment of the EA in relation to the cost of the EA development.\n\n      The DEA did not establish a formal written and approved policy\nfor developing the EA. However, the DEA did establish the required\nelements of the EA development policy in different ways:\n\n     \xe2\x80\xa2   established the IT governing boards with representation from\n         all DEA business areas to ensure agencywide commitment to\n         EA development;\n\n     \xe2\x80\xa2   established the EA Program Office with responsibility for\n         developing the EA;\n\n     \xe2\x80\xa2   created the EA Program Management Plan, which outlines the\n         scope of the architecture including a description of the\n         current and target architecture, as well as the transition plan,\n         and addresses EA oversight, control, review, and validation\n         responsibilities; and\n\n     \xe2\x80\xa2   outlined the value of the EA, its relationship to the\n         organization\xe2\x80\x99s strategic vision and plans, and the capital\n         planning process in the DEA\xe2\x80\x99s IT Strategic Plan.\n\nYet, consolidating the EA development information in the form of an\norganization policy allows any DEA staff member to consult one\n\n                                 -v-\n\x0cdocument for information concerning the development and\nimplementation of the DEA EA.\n\n        The DEA has developed one EA product, the high-level current\narchitecture. In September 2002, the DEA documented its high-level\ncurrent EA using DEA personnel assisted by a contractor. The\nhigh-level current EA provided the DEA with descriptions of its\nbusiness processes, applications used to carry out the business\nprocesses, data used in accomplishing the business processes,\ntechnology used in implementing the business processes, and\nstakeholders affected by the business processes. The 2002 high-level\ncurrent EA lacked the detail necessary to progress to the target\narchitecture, but in April 2004 the contractor added the necessary\ndetail, and the DEA accepted the product.\n\n      To complete its EA, the DEA must finish two additional products:\n1) the target architecture, and 2) a transition plan from the current to\nthe target architecture.\n\n      The DEA\xe2\x80\x99s target architecture will define the vision of the DEA\xe2\x80\x99s\nfuture business operations and supporting technology and will also\ndescribe the desired capability and structure of the business\nprocesses, information needs, and IT infrastructure at some point in\nthe future. Just as the current architecture captured the existing\nbusiness practices, functionality, and information flows, the target\narchitecture will reflect what the DEA needs to evolve its information\nresources.\n\n      The DEA\xe2\x80\x99s transition plan will provide a step-by-step process for\nmoving from a current architecture to a target architecture. Such a\nplan is the primary tool used for program management and investment\ndecisions because the plan represents the current environment as well\nas any development programs that are planned or underway. To\nremain current and to support continued coordinated improvements\nacross the DEA, the transition plan should be maintained and updated\nas time and circumstances dictate. In addition, the DEA must ensure\nthat all EA products when completed undergo configuration\nmanagement \xe2\x80\x93 a process of managing changes to IT systems or\nhardware \xe2\x80\x93 and that the target architecture addresses security as\noutlined in the EA program plan.\n\n\n\n\n                                  - vi -\n\x0cInformation Technology Investment Management\n\n      The DEA manages its IT investments through agencywide\nreplicable processes rather than through a single office. To illustrate\nthe processes, the DEA created a graphic illustration called\n\xe2\x80\x9cThe House\xe2\x80\x9d (see Appendix 5) showing how strategic planning,\nbudgeting, procurement, ITIM, quality management, IT security,\nSystem-Development-Life-Cycle program management, and EA work\ntogether to accomplish the DEA\xe2\x80\x99s mission.\n\n      Most DEA divisions (Operations, Intelligence, Financial\nManagement, Operational Support, and Inspection) manage major IT\nsystems and initiatives. The Office of Information Systems is\nresponsible for ensuring that the procedures and applications\ndeveloped by DEA divisions and their offices are in compliance with the\nDEA-wide programs for IT strategic planning, IT capital planning and\ninvestment control, and the EA. The divisions are responsible for\nspecific networks and applications supporting their respective\nmissions.\n\n      In December 2001, in an effort to improve its IT investment\nmanagement practices and comply with the Department\xe2\x80\x99s and other\nstatutory regulations, the DEA developed the \xe2\x80\x9cITIM Process Guide and\nTransition Plan.\xe2\x80\x9d The purpose of the plan is to better ensure that\ntechnological resources are linked to the DEA mission and IT Strategic\nPlan while providing a solid return on investment. According to the\nplan, the DEA would introduce ITIM over three years, in three phases.\nEach phase would correspond to one fiscal year: Phase 1 would focus\non the business and budget side of ITIM, while Phases 2 and 3 would\nfocus on the technical side. Also, in Phase 2, ITIM would integrate\nsecurity activities, and in Phase 3 ITIM would integrate EA activities.\n\n       The DEA has attained a basic ITIM capability (Stage-2 maturity)\nto establish the foundation for effective and replicable IT project-level\ninvestment selection and control processes. Selection processes\nensure that the DEA has an effective methodology for approving only\nthose IT projects that are consistent with its needs and goals.\nEffective control processes ensure that deviations from cost and\nschedule baselines can be identified quickly.\n\n        To ensure that the select and control processes were carried\nout, the DEA chartered three investment boards: the Executive\nReview Board, Business Council, and Compliance Council. The DEA\ncreated a hierarchical approach to the operation of the investment\n\n                                  - vii -\n\x0cboards to ensure that no overlaps or gaps existed within the scope of\nthe boards\xe2\x80\x99 authorities and responsibilities.\n\n       Before the boards become involved in the ITIM process, the\nManagement Group works closely with the project and program\nmanagers to ensure the completeness of the IT investment proposals\nand monitor the performance of the investments after funding.1 The\nproposals are first forwarded to the Business Council for review and\nscoring based on the DEA mission and goals. Based on the results of\nits review, the Business Council makes recommendations to the\nExecutive Review Board on the IT projects for which funding has been\nrequested. The Executive Review Board evaluates the\nrecommendations to ensure that the DEA\xe2\x80\x99s mission and goals are\nbeing met through the investments and then makes final\nrecommendations to the DEA Administrator. The Compliance Council\nensures that IT investments comply with legislative regulations and\nDEA policy.\n\n      The DEA has completed one selection cycle within the ITIM\nprocess and as of March 2004 was in the process of completing a\nsecond cycle for the 2006 budget year. We reviewed the minutes of\nthe Business Council meeting to determine if the DEA was actually\nusing its prescribed selection process. According to the minutes, the\nprogram managers made presentations to the Business Council, which\nwere ranked and prioritized based on how the projects met mission\ngoals and objectives. The Business Council\xe2\x80\x99s decision was forwarded\nto the Executive Review Board for further evaluation and a funding\nrecommendation.\n\n      To meet the requirement of the ITIM Framework, the DEA has\nrequired each project to have a Project Management Plan (PMP). The\nPMP documents the purpose, scope, and background of the project,\nthe project organization, and the management and technical approach.\nThe PMP also contains the project schedule and funding information. A\nnumber of supplemental exhibits are included with the PMP, for\nexample: project sizing and documentation requirements, project\nquestionnaires, staff roles and responsibilities, the work breakdown\nschedule, primary points of contacts, and a system risk matrix.\n\n\n\n\n      1\n        The Management Group within the Strategic Business Analysis Section\nprovides support, advice, and guidance on carrying out the ITIM process.\n                                     - viii -\n\x0c      In addition, the OMB requires all major IT investment plans to be\nsummarized and reported in the Exhibit 300.2 The Exhibit 300\ncaptures cost, schedule, and performance data along with\nearned-value, project assumptions, and risks. Further, the DEA\nInvestment Guide states that after a project\xe2\x80\x99s concept proposal is\napproved, a business case must be developed for each project for\nfurther consideration. A business case consists of a project plan,\nfeasibility study, cost-benefit analysis, and concept of operations.\nThese documents are all part of the PMP.\n\n       Our review of the DEA PMP determined that the DEA includes a\nchange control page to track all changes made to the project. We also\nfound that the DEA Investment Guide requires that, during the control\nphase, investments are subject to periodic progress reviews to assess\ncost management, schedule variance, and the realization of planned\nbenefits. According to the DEA, the investment boards\xe2\x80\x99 activities are\nevolving and will include more activities during the Control Phase in\n2004. In addition, the DEA investment repository is to be updated to\nreflect all changes and the results of the reviews. The EA, including\nthe investment repository, is made available to the investment boards\nas part of the budgetary process to aid in making funding decisions.\n\n      The development of the IT investment portfolio is an ongoing\nprocess that includes decision-making, prioritization, review,\nrealignment, and reprioritization of projects that are competing for\nresources and funding. The process for creating the portfolio should\nensure that each IT investment board manages investments according\nto an organizational, strategic-planning perspective. The boards\nshould collectively analyze and compare all investments and proposals\nto select those that best fit with the strategic business direction,\nneeds, and priorities of the entire organization.\n\n      The DEA has documented the processes for selecting an\ninvestment portfolio in its ITIM Process Guide. The ITIM Process Guide\nprovides policies and procedures that supplement and support\nguidance from DOJ Order 2880.1A and OMB Circular A-11 regarding\ninvestment analysis. The ITIM Process Guide contains detailed\nprocesses for analyzing, selecting and maintaining the investment\nportfolio. In addition, the DEA requires program managers to develop\nan Exhibit 300, as explained in OMB Circular A-11, for all projects to\nbe submitted for final funding approval.\n\n      2\n        OMB Exhibit 300 is a format used to represent a strong business case, or\npurpose, for the proposed investment to agency management and the OMB.\n\n                                      - ix -\n\x0c      We also found that the DEA has taken steps to ensure that\ninformation used to select, control, and evaluate the portfolio are\ncaptured and maintained for future reference. The DEA is maintaining\nthe minutes and action items electronically from investment boards\xe2\x80\x99\nmeetings for retrieval at a later date. The DEA also uses an\nInformation Technology Investment Portfolio System (ITIPS), which\ntracks the planning, acquisition, and operations of Automated\nInformation Systems and IT investments. The ITIPS also complies\nwith federal requirements such as the Government Performance and\nResults Act, the Paperwork Reduction Act, and the Clinger-Cohen Act.\nThe DEA is assessing other tools to better capture the required\ninformation about IT investments. The DEA\xe2\x80\x99s ability to effectively\ncapture investment information on past and present IT decisions in\none system can translate into better decisions on IT investments\nduring control phase activities, as well as during the evaluation and\nselection processes. The ITIM Framework states that IT information\nsystems that deliver information that is up-to-date, encompassing,\nand presented in a useful format will enhance the decision process.\n\n      In an effort to streamline the Business Council\xe2\x80\x99s and the\nExecutive Review Board\xe2\x80\x99s access to current information on the status\nof DEA IT investments, the DEA is working to adopt a Departmental\ndatabase that would provide the Department\xe2\x80\x99s CIO, component CIOs,\nand project managers with current status information on major and\nother highly visible IT systems in the Department\xe2\x80\x99s portfolio. Once\nimplemented, the Business Council, Executive Review Board members,\nand project managers may use the database to gain a quick reference\nto determine the cost, schedule, and risks for investments contained in\nthe DEA IT portfolio.\n\n      The DEA has made progress toward obtaining a mature ITIM\nprocess. However, the DEA has not established a schedule for\ncompleting the remaining stages of the ITIM process. Also, the DEA\nhas not provided formal training for investment board members to\nensure that they are familiar with portfolio evaluation and\nimprovement procedures. However, at the beginning of the meeting,\nthe DEA ITIM Management Group outlines for the Business Council the\nprocess to be used for IT investment review. A formal training session\nwould enable board members to become more familiar with the\nranking categories and to understand what each category entails and\nhow each category is important to the evaluation of each IT\ninvestment.\n\n\n                                 -x-\n\x0c      For the DEA to attain a mature ITIM process as described by the\nITIM Framework, the DEA must: 1) evaluate the performance of the\nportfolio and use the information gained from the evaluation to\nimprove both current IT investment processes and the future\nperformance of the investment portfolio, 2) manage the succession of\ninformation systems by replacing low-value systems with higher-value\nsystems, 3) optimize the investment process by ensuring that best\npractices of other organizations are captured and incorporated within\nthe DEA\xe2\x80\x99s IT investment process, and 4) use IT to strategically\ntransform work processes, while exploring new and more effective\nways of executing the DEA\xe2\x80\x99s mission.\n\n     The recommendations we made to the DEA are to:\n\n     1.    apply metrics to measure EA progress, quality, compliance,\n           and return on investment;\n\n     2.    establish an organization policy for EA development and\n           maintenance that meets the requirements of the EA\n           Management Framework;\n\n     3.    ensure that the completed EA undergoes configuration\n           management;\n\n     4.    ensure that the target architecture addresses security as\n           outlined in the EA Program Plan;\n\n     5.    complete and implement the remaining EA stages to\n           ensure that IT investments are not duplicative, are well\n           integrated, are cost effective, and support the DEA\xe2\x80\x99s\n           mission;\n\n     6.    train members of the investment boards on the criteria for\n           evaluating IT investments; and\n\n     7.    establish a schedule for completing the remaining stages\n           of the ITIM process to control and evaluate DEA\xe2\x80\x99s IT\n           investments.\n\n\n\n\n                                - xi -\n\x0c                               TABLE OF CONTENTS\n\n\nBACKGROUND ............................................................................ 1\n    Authorities ......................................................................... 1\n    Prior Reports ...................................................................... 4\n    Framework for Assessing IT Investment Management .............. 6\n    Framework for Assessing and Improving Enterprise\n     Architecture Management .................................................. 9\n    The DEA\xe2\x80\x99s Management of IT Infrastructure.......................... 12\n\nFINDINGS AND RECOMMENDATIONS ........................................... 17\n\nFinding 1: Enterprise Architecture .............................................. 17\n      Synopsis of the Five Stages of the EA Management\n      Framework ...................................................................... 17\n      Stage 1 Completed ........................................................... 19\n      Stage 2 Ninety-Percent Completed ...................................... 19\n      Stage 3 Progress .............................................................. 29\n      Attaining Stage 4 Maturity ................................................. 32\n      Attaining Stage 5 Maturity ................................................. 35\n      Conclusion ....................................................................... 36\n      Recommendations ............................................................ 37\n\nFinding 2: Information Technology Investment Management .......... 38\n      Synopsis of the Five Stages of the ITIM Process .................... 38\n      Stage 2 Completed ........................................................... 39\n      Stage 3 Not Yet Completed ................................................ 62\n      Attaining Stage 4 Maturity ................................................. 70\n      Attaining Stage 5 Maturity ................................................. 71\n      Conclusion ....................................................................... 72\n      Recommendations ............................................................ 73\n\nSTATEMENT ON COMPLIANCE WITH LAWS AND REGULATIONS ....... 74\n\nSTATEMENT ON MANAGEMENT CONTROLS ................................... 75\n\nAPPENDIX 1:        OBJECTIVES, SCOPE, AND METHODOLOGY ............. 76\n\nAPPENDIX 2:        ACRONYMS......................................................... 78\n\nAPPENDIX 3:        THE THREE COMPONENTS OF THE ITIM PROCESS .... 79\n\nAPPENDIX 4:        SUMMARY OF THE EA MANAGEMENT FRAMEWORK\xe2\x80\x99S\n                   MATURITY STAGES, CRITICAL SUCCESS\n                   ATTRIBUTES, AND CORE ELEMENTS....................... 81\n\x0cAPPENDIX 5:      DEA\xe2\x80\x99S IT MANAGEMENT PROGRAM......................... 82\n\nAPPENDIX 6:      DRUG ENFORCEMENT ADMINISTRATION\n                 ORGANIZATION CHART ........................................ 83\n\nAPPENDIX 7:      DEA PROGRESS THROUGH STAGE 3 OF THE\n                 EA MANAGEMENT FRAMEWORK ............................. 84\n\nAPPENDIX 8:      FEDERAL ENTERPRISE ARCHITECTURE\n                 FRAMEWORK ...................................................... 86\n\nAPPENDIX 9:      DEA PROGRESS THROUGH STAGE 3 OF THE\n                 ITIM FRAMEWORK ............................................... 87\n\nAPPENDIX 10: THE DEA\xe2\x80\x99S RESPONSE TO THE DRAFT REPORT ........ 90\n\nAPPENDIX 11: OIG, AUDIT DIVISION ANALYSIS AND\n             SUMMARY OF ACTIONS NECESSARY TO\n             CLOSE REPORT ................................................... 94\n\x0c                                 BACKGROUND\n\nAuthorities\n\n      The United States\xe2\x80\x99 efforts to control drugs and narcotics, through\na number of offices and agencies, date back to 1915. In July 1973,\nthe President established the Drug Enforcement Administration (DEA)\nwithin the Department of Justice (Department) as the successor to the\nBureau of Narcotics and Dangerous Drugs.\n\n       The DEA\xe2\x80\x99s mission is to: 1) enforce the controlled substances\nlaws and regulations of the United States; 2) bring to justice those\nindividuals or organizations involved in the growing, manufacturing, or\ndistributing of controlled substances destined for illicit traffic in the\nUnited States; and 3) reduce the availability of illicit controlled\nsubstances in the domestic and international markets. The DEA\xe2\x80\x99s\nprimary responsibilities include the:\n\n           \xe2\x80\xa2   investigation of major violators of controlled substance laws\n               for prosecution;\n\n           \xe2\x80\xa2   management of a national drug intelligence program in\n               cooperation with federal, state, local, and foreign officials to\n               collect, analyze, and disseminate strategic and operational\n               drug intelligence information;\n\n           \xe2\x80\xa2   seizure and forfeiture of assets derived from or used in illicit\n               drug trafficking;\n\n           \xe2\x80\xa2   enforcement of the Controlled Substances Act pertaining to\n               the manufacture, distribution, and dispensation of legally\n               produced controlled substances;3\n\n           \xe2\x80\xa2   coordination and cooperation with federal, state, and local\n               law enforcement officials on mutual efforts for drug\n               enforcement and reduction of illicit drug availability in the\n               United States; and\n\n\n       3\n         The Controlled Substances Act Title, II of the Comprehensive Drug Abuse\nPrevention and Control Act of 1970, is the legal foundation of the government's fight\nagainst the abuse of drugs and other substances. This law is a consolidation of\nnumerous laws regulating the manufacture and distribution of narcotics, stimulants,\ndepressants, hallucinogens, anabolic steroids, and chemicals used in the illicit\nproduction of controlled substances.\n\n\n                                        -1-\n\x0c          \xe2\x80\xa2   management of programs associated with drug law\n              enforcement counterparts in foreign countries and liaison\n              with the United Nations, Interpol, and other organizations on\n              international drug control programs.\n\n      To accomplish its mission, the DEA\xe2\x80\x99s headquarters in Arlington,\nVirginia, oversees 237 domestic offices and 80 foreign offices in 58\ncountries. As of FY 2003, the DEA had approximately 4,680 special\nagents and 4,949 support staff. From FY 2003 to FY 2004, the DEA\xe2\x80\x99s\nbudget increased from $1.660 billion to $1.677 billion.4 Information\ntechnology (IT) is essential to the DEA\xe2\x80\x99s ability to properly manage its\noperations and administrative functions. Funding for the DEA\xe2\x80\x99s\nIT-related projects increased from $201 million in FY 2003 to\n$224 million in FY 2004.\n\n       The Information Technology Management Reform Act of 1996\n(known as the Clinger-Cohen Act) requires the head of each federal\nagency to implement a process for maximizing the value of the\nagency\xe2\x80\x99s IT investments and for assessing and managing the risks of\nits acquisitions. A key goal of the Clinger-Cohen Act is for agencies to\nhave processes in place to ensure that IT projects are being\nimplemented at acceptable costs and within reasonable timeframes,\nand that the projects are contributing to tangible, observable\nimprovements in mission performance. In addition, the\nClinger-Cohen Act requires the head of each agency to develop,\nmaintain, and facilitate the implementation of architectures as a\nmeans of integrating business processes and agency goals with IT.\n\n      The Office of Management and Budget (OMB) Circular A-130\nrequires each federal agency to establish and maintain a capital\nplanning and investment control process for IT (also known as\nInformation Technology Investment Management, or ITIM). As\ndescribed more fully in Appendix 3, the ITIM process has three\ncomponents: select, control, and evaluate. The process integrates\nthe agency's strategic and financial management plans and its\nacquisition and budget processes. Further, the process helps shape\nthe agency\xe2\x80\x99s Enterprise Architecture (EA), which provides a strategy\nthat will enable the agency to support its current state and also act as\nthe roadmap for transition to its target environment.\n\n      The following chart describes the fundamental phases of this IT\ninvestment approach.\n\n\n\n      4\n          The budget excluded Federal Retirees and Health Benefit Costs.\n                                        -2-\n\x0c         Fundamental Phases of the IT Investment Approach\n\n\n\n\n             Source: The U.S. Government Accountability Office (GAO).\n\n      In August 2001, the Department of Justice Information\nTechnology Investment Management Process (Guide) was issued to\nimplement the Clinger-Cohen Act, OMB Circular A-130, and other IT\nmanagement requirements. The Guide is intended to help make\nmeasurable improvements in mission performance and service delivery\nto the public through the strategic application of IT.\n\n       In doing so, the Guide uses the select/control/evaluate\nmethodology to implement the strategic and performance directives of\nthe Clinger-Cohen Act and other requirements affecting IT\ninvestments. The Guide is also intended to promote a process that\nbuilds on existing structures to provide maximum benefit across the\nDepartment and with other federal agencies. This process is intended\nto allow the Department to focus IT management on the Department\xe2\x80\x99s\nstrategic missions. Further, the process establishes investment review\nprocedures that drive budget formulation and execution for IT\nsystems, and it provides the methods, structures, disciplines, and\nmanagement framework that govern the way IT is deployed\nthroughout the Department. The Guide applies to all IT projects in all\nof the Department\xe2\x80\x99s components, and requires each Departmental\ncomponent to:\n\n     \xe2\x80\xa2    designate a component Chief Information Officer (CIO);\n\n     \xe2\x80\xa2    establish an Executive Review Board that will approve the\n          entire component IT portfolio and oversee the decisions made\n          about specific investments; and\n\n\n                                     -3-\n\x0c      \xe2\x80\xa2    establish a component ITIM process that incorporates the\n           Department\xe2\x80\x99s ITIM process but is customized to function\n           within the component\xe2\x80\x99s unique environment.\n\n     By January 2002, each component was required to submit to the\nDepartment an ITIM plan incorporating the above items. The DEA\nsubmitted its ITIM plan in December 2001. The JMD officially\napproved the DEA\xe2\x80\x99s Plan in March 2002. The 2002 approval letter\nstates that the DEA ITIM process conforms to the guidelines defined by\nthe GAO, the OMB, and the Department. It also states that the plan is\nclear and comprehensive in its statement of the ITIM policy and its\ndefinition of organizational roles, responsibilities, and deliverables.\n\n       To date, the Department has not issued any formal guidance on\nEA. However, according to the Assistant Director of the Department\xe2\x80\x99s\nPolicy and Planning Staff within the Office of the Chief Information\nOfficer, the order providing such guidance should be released in the\nfirst quarter of FY 2005. To begin developing its EA, the DEA used\nguidance from the OMB, the Federal Chief Information Officer\xe2\x80\x99s\nCouncil, and the DEA\xe2\x80\x99s Strategic IT Plan to develop its EA program.\n\nPrior Reports\n\n      We identified and reviewed six IT-related reports issued\nsince May 2000 by the GAO and the OIG that are applicable to\naspects of this audit.\n\n      In May 2000, the GAO reported that although almost all\nfederal agencies had created some type of ITIM process, none\nhad implemented stable processes that address all three phases\nof the select/control/evaluate approach.5 According to the GAO,\none barrier to implementing reliable ITIM has been the lack of\nspecific guidance on the required processes. The GAO further\nstated that the select/control/evaluate approach provides sound\nadvice, but does not describe the organizational processes\ninvolved.\n\n      In February 2002, the GAO reported that the federal government\nas a whole had not reached a mature state of EA management.6 In\n\n       5\n        The report is entitled Information Technology Investment Management: An\nOverview of GAO\xe2\x80\x99s Assessment Framework (GAO/AIMD-00-155) dated May 2000.\n       6\n         The report is entitled Information Technology, Enterprise Architecture Use\nAcross the Federal Government Can Be Improved (GAO-02-6) dated February 2002.\n\n                                       -4-\n\x0cparticular, about 52 percent of federal agencies reported having at\nleast the management foundation that is needed to begin successfully\ndeveloping, implementing, and maintaining an EA, and about\n48 percent of agencies have not yet advanced to this basic stage of\nmaturity. Specifically, the GAO determined that the DEA had achieved\nStage-2 maturity. At Stage-2 maturity, the DEA established a sound\nEA management foundation with the assignment of roles and\nresponsibilities and the establishment of plans for developing EA\nproducts.\n\n      In March 2002, pursuant to the FY 2001 Government\nInformation Security Reform Act, the OIG issued three reports on\nthree of the DEA\xe2\x80\x99s administrative and investigative IT systems.7 The\nreports identified vulnerabilities with management, operational, and\ntechnical controls. Significant vulnerabilities were noted in the\nfollowing areas:\n\n      \xe2\x80\xa2   security policies, procedures, standards, and guidelines;\n\n      \xe2\x80\xa2   system and network backup and restoration controls;\n\n      \xe2\x80\xa2   password management;\n\n      \xe2\x80\xa2   log-on management;\n\n      \xe2\x80\xa2   account integrity management;\n\n      \xe2\x80\xa2   system auditing management;\n\n      \xe2\x80\xa2   physical controls;\n\n      \xe2\x80\xa2   software upgrading procedures;\n\n      \xe2\x80\xa2   personnel controls;\n\n      \xe2\x80\xa2   contingency planning; and\n\n      \xe2\x80\xa2   system configuration.\n\n      The reports also stated that these vulnerabilities occurred\nbecause the DEA either lacked sufficient guidance, did not fully enforce\ncompliance with existing security policies, did not develop a complete\nset of policies to effectively secure the systems, or lacked timely and\n\n      7\n        The three systems audited were the El Paso Intelligence Center Information\nSystem (02-09), Merlin System (02-13), and Firebird System (02-10).\n                                      -5-\n\x0ceffective oversight from the Department and DEA management in\naddressing known problems.\n\n       In February 2004, pursuant to the Federal Information Security\nManagement Act (FISMA), the OIG issued a report on the DEA\xe2\x80\x99s\nsystem used to access and analyze classified information. The report\nassessed the system\xe2\x80\x99s compliance with FISMA and related information\nsecurity policies, procedures, standards, and guidelines. The report\nidentified weaknesses in the areas of management, operational, and\ntechnical controls. The report also identified high-risk vulnerabilities\nfrom unauthorized use, loss, or modification of data.\n\n      The report stated that the vulnerabilities occurred because the\nDEA did not always enforce its policies in accordance with current\nDepartment policies and procedures for the system. Furthermore,\nmany of the vulnerabilities identified during this audit could have been\nprevented if the DEA had followed up on and applied corrective actions\nfor similar vulnerabilities identified by the DEA and OIG in previous\nyears and applied them to the system.\n\n       This report dealt primarily with the DEA\xe2\x80\x99s management of\ninformation security and not the agency\xe2\x80\x99s handling of IT investments\nor its EA. However, according to the CIO Practical Guide, an agency is\nrequired to address information security within its EA. The DEA has\ndocumented in its EA Program Plan that information security will be\naddressed as a separate layer within the target architecture, which has\nnot yet been developed.\n\nFramework for Assessing IT Investment Management\n\n      To address the lack of guidance as reported in its May 2000\nreport, the GAO developed the IT Investment Management Framework\n(ITIM Framework) to provide a common methodology for discussing\nand assessing IT capital planning and investment management\npractices at federal agencies.\n\n      According to the GAO, the ITIM Framework enhances previous\nfederal IT investment management guidance by embedding the\nselect/control/evaluate approach within a framework that explicitly\ndescribes the organizational processes required to implement sound\nITIM. Based on the best practices of leading organizations, the ITIM\nFramework is a hierarchical model comprised of five maturity stages,\nwhich represent steps toward achieving stable and mature investment\nmanagement processes. Each stage builds upon the lower stages and\nenhances the organization\xe2\x80\x99s ability to manage its investments. As an\n\n                                  -6-\n\x0cagency advances through these stages, the agency\xe2\x80\x99s capability to\neffectively manage IT increases. In March 2004, the GAO revised the\nITIM Framework to reflect the incorporation of EA into all five maturity\nstages. Our assessment of the DEA\xe2\x80\x99s IT investment management was\ndone using the revised framework.\n\n     The following chart describes the five maturity stages of the IT\nFramework.\n\n                 The Five Stages of Maturity Within ITIM\n\n\n\n\n      Source: The U.S. Government Accountability Office.\n\n       With the exception of the first stage, each maturity stage is\ncomprised of critical processes that must be implemented and\ninstitutionalized for the organization to satisfy the requirements of that\nstage. These critical processes are further broken down into key\npractices that describe the types of activities in which an agency\nshould be engaged to successfully implement each critical process. An\norganization that has these critical processes in place is in a better\nposition to successfully invest in IT. The following chart describes the\nITIM Framework\xe2\x80\x99s five stages and associated critical processes.\n\n\n\n\n                                     -7-\n\x0c      The ITIM Stages of Maturity With Critical Processes\n\n\n\n\n            Source: The U.S. Government Accountability Office.\n\n      As established by the ITIM Framework, each critical process is\ncomprised of five core elements that indicate whether the\nimplementation and institutionalization of a process can be effective\nand replicated. The five core elements are: 1) purpose,\n2) organizational commitment, 3) prerequisites, 4) activities, and\n5) evidence of performance.\n\n      With the exception of the \xe2\x80\x9cpurpose\xe2\x80\x9d core element, each of the\nother core elements contains key practices. The key practices are the\nattributes and activities that contribute most to the effective\nimplementation and institutionalization of a critical process. The\nfollowing chart summarizes the inter-relationships of components in an\nITIM critical process.\n\n\n\n\n                                    -8-\n\x0c                 Components of an ITIM Critical Process\n\n\n\n\n      Source: The U.S. Government Accountability Office.\n\nFramework for Assessing and Improving Enterprise\nArchitecture Management\n\n      Enterprise Architectures provide a clear and comprehensive\npicture of an entity, whether an organization or a functional or mission\narea that crosscuts more than one organizational unit. According to\nthe GAO, investing in IT without defining these investments in the\ncontext of an EA often results in systems that are duplicative, not well\nintegrated, and unnecessarily costly to maintain and interface.\n\n       An EA is made up of four components: Business Architecture,\nApplications Architecture, Data Architecture, and Technical\nArchitecture. Together, these components provide a clear picture of\nhow an organization accomplishes its mission, goals, and objectives.\nIt also provides the baseline from which initiatives are planned and\nlater compared.\n\n     Business Architecture focuses on \xe2\x80\x9cwhat\xe2\x80\x9d is done as opposed to\n\xe2\x80\x9cwho\xe2\x80\x9d does it. It captures the business itself, independent of any\ntechnology, by describing the business areas and processes including\ncommon information requirements. Business Architecture is based on\nan agency\xe2\x80\x99s strategic plan and is linked to the application, data, and\ntechnology layers of the EA.\n\n       Applications Architecture is the means by which the agency and\nits personnel create, reference, update, or delete data acquired\n\n                                     -9-\n\x0cand collected by an agency. In essence, Application Architecture\nprovides the link between the data and the entities required to perform\nthe business functions, allowing an agency to fulfill its mission.\n\n      Data Architecture describes the data an agency needs for\nbusiness operations and provides a data-related viewpoint. Data\nArchitecture consists of universally accepted definitions that an agency\nuses to describe data. Completed Data Architecture provides an\noverall picture of the information an agency collects, manipulates, and\nstores in order to accomplish its mission.\n\n      Technical Architecture provides the platform for many business\noperations, the applications, and the enterprise data. Technical\nArchitecture is what allows the entities performing business functions\nto use applications to manipulate the data necessary for an agency to\naccomplish its mission.\n\n      Since the late 1980s, EA Management Frameworks have\nemerged within the federal government, beginning with the publication\nof the National Institute of Standards and Technology framework in\n1989. In 1992, the GAO issued EA guidance entitled Strategic\nInformation Planning: Framework for Designing and Developing\nSystem Architecture. This EA Management Framework was intended\nto:\n\n      \xe2\x80\xa2   provide a basis for systematically determining information\n          needs,\n\n      \xe2\x80\xa2   identify and analyze information and data needs and\n          relationships,\n\n      \xe2\x80\xa2   identify and analyze alternative ways to satisfy information\n          needs, and\n\n      \xe2\x80\xa2   provide factors to be considered in arriving at the best way to\n          satisfy information needs.\n\n      Since 1992, other federal entities have issued EA Management\nFrameworks, including the Department of Defense, the Department of\nthe Treasury, and the Federal Chief Information Officers Council\n(CIO Council). Although the various frameworks use different\nstructures, the frameworks are fundamentally consistent in purpose\nand content, and are being used today to varying degrees by many\nfederal agencies.\n\n\n                                 - 10 -\n\x0c      In April 2003, the GAO, in collaboration with the OMB and the\nCIO Council, published a new EA Management Framework.8 The new\nEA Management Framework provides measures for management to\nassess progress toward the desired end and to take corrective action\nto address unacceptable deviations.\n\n      The GAO EA Management Framework consists of three basic\ncomponents: 1) five hierarchical stages of management maturity,\n2) categories of attributes that are critical to the success in managing\nany endeavor, and 3) elements of EA management that form the core\nof the CIO Council\xe2\x80\x99s Practical Guide.9\n\n      Consistent with the ITIM Framework, the EA Management\nFramework outlines five maturity stages. These stages include steps\ntoward achieving a stable and mature process for managing the\ndevelopment, maintenance, and implementation of an agency\xe2\x80\x99s EA. As\nan organization improves its EA management capabilities, its EA\nmanagement maturity increases.\n\n     With the exception of the first stage, each maturity stage is\ncomposed of four critical success attributes that are critical to the\nsuccessful performance of any management function. They are:\n\n       \xe2\x80\xa2   Demonstrates Commitment by the head of the enterprise\n           providing support and sponsorship to achieve the success of\n           the EA effort.\n\n       \xe2\x80\xa2   Provides the Capability to Meet Commitment by\n           developing, maintaining, and implementing EA through\n           adequate resources, clear definitions of roles and\n           responsibilities, and implementing organizational structures\n           and process management controls that promote\n           accountability and effective project execution.\n\n       8\n        The framework is entitled Information Technology, A Framework for\nAssessing and Improving Enterprise Architecture Management, Version 1.1,\n(GAO-03-584G) dated April 2003.\n       9\n         Federal Chief Information Officers (CIO) Council. A Practical Guide to\nFederal Enterprise Architecture, Version 1.0, February 2001. This publication is also\nknown as the CIO Council\xe2\x80\x99s Practical Guide, which is a step-by-step process guide\nintended to assist agencies in defining, maintaining, and implementing EAs by\nproviding a disciplined and rigorous approach to EA management.\n\n\n\n\n                                       - 11 -\n\x0c      \xe2\x80\xa2   Demonstrates Satisfaction of Commitment to develop,\n          maintain, and implement EA by producing EA plans and\n          products.\n\n      \xe2\x80\xa2   Verifies Satisfaction of Commitment by measuring and\n          disclosing the extent to which efforts to develop, maintain,\n          and implement the EA have fulfilled stated goals or\n          commitments. Measuring performance allows for tracking\n          progress toward stated goals, allows appropriate actions to\n          be taken when performance deviates significantly from goals,\n          and creates incentives to influence both institutional and\n          individual behaviors.\n\n       Collectively, these attributes form the basis by which an\norganization can institutionalize management of any given function or\nprogram, such as EA management. Each attribute contains core\nelements that contribute to the effective implementation and\ninstitutionalization of a critical success attribute. Appendix 4\nsummarizes the interrelationships of components in the EA\nmanagement process.\n\nThe DEA\xe2\x80\x99s Management of IT Infrastructure\n\n       The DEA seeks to manage its IT investments through\nagencywide repeatable processes rather than a single office. To\nillustrate the processes, the DEA has created a graphic illustration\ncalled \xe2\x80\x9cThe House\xe2\x80\x9d (see Appendix 5) showing how strategic planning,\nbudgeting, procurement, ITIM, quality management, IT security,\nSystem-Development Life-Cycle program management, and EA work\ntogether to accomplish the DEA\xe2\x80\x99s mission. In reference to ITIM and\nEA, The House shows how each phase of the ITIM process relates to\none or more of the architectural models. For example, by consulting\nThe House, a DEA staff member can see that in the Control Phase of\nITIM, the Data, Application, and Technology architectures should be\nreviewed before making a decision about the status of the project.\n\n      Reflecting the DEA\xe2\x80\x99s decentralized ITIM, several divisions\nmanage major IT initiatives: the Operations Division, the Intelligence\nDivision, the Financial Management Division, the Operational Support\nDivision, and the Inspection Division. These divisions are responsible\nfor specific networks and applications supporting their respective\nmissions.\n\n      The Office of Diversion Control, within the DEA\xe2\x80\x99s Operations\nDivision, manages the design, development, and operation of the\n\n                                - 12 -\n\x0cinfrastructure and applications supporting DEA programs with the\nmedical community and the chemical and pharmaceutical industries.\nThe DEA\xe2\x80\x99s Intelligence Division manages the classified network and the\nassociated applications. The El Paso Intelligence Center, within the\nIntelligence Division, develops and manages infrastructure and\napplications that support customers at the federal, state, and local\nlevels. The Financial Management Division is responsible for managing\nthe DEA\xe2\x80\x99s financial management systems.10\n\n       The DEA Chief Information Officer is the Assistant Administrator\nfor the Operational Support Division, and reports to the DEA\nAdministrator. The Deputy CIO is the Deputy Assistant Administrator\nfor the Office of Information Systems and reports to the CIO. The\nDeputy CIO is responsible for the design, deployment, and operation\nof DEA\xe2\x80\x99s general support networks, the majority of application systems\nsupporting DEA\xe2\x80\x99s mission, and the supporting quality management\nprogram. Staff in the Office of Information Systems work closely with\ncustomers from virtually all DEA offices, both in headquarters and the\nfield (domestically and internationally). The Deputy CIO also manages\nthe DEA-wide programs for IT strategic planning, IT capital planning\nand investment control, and EA.\n\n       The Office of Information Systems coordinates with each office\nto ensure that the procedures and applications developed by these\noffices are in compliance with the DEA-wide programs for IT strategic\nplanning, IT capital planning and investment control, and the EA. The\nOffice of Investigative Technology is responsible for the systems that\nsupport telecommunications intercepts.\n\n       The Office of Security Programs in the Inspection Division is\nresponsible for DEA\xe2\x80\x99s IT security program. This includes development\nof policies and procedures, management of system certification and\naccreditation, coordination with the Department of Justice, reporting\nas required by the FISMA, and security monitoring of DEA networks.\n\n      Recent Efforts\n\n      The DEA has established three governing committees to facilitate\nits EA and ITIM development processes: 1) the Executive Review\nBoard, 2) the Business Council, and 3) the Compliance Council.\nTogether, the three governing committees are responsible for ensuring\nthat the DEA\xe2\x80\x99s EA and ITIM meet all federal and Departmental\nrequirements.\n\n      10\n         For a further breakdown of how DEA divisions are laid out, see the DEA\nOrganization Chart in Appendix 6.\n                                      - 13 -\n\x0c      The Executive Review Board is responsible for providing\nleadership to implement a managed IT capital planning and investment\ncontrol process. The IT capital planning and investment process\nincludes the development and maintenance of an agencywide EA. The\nDEA\xe2\x80\x99s CIO and the DEA\xe2\x80\x99s Chief Financial Officer (CFO) jointly chair the\nExecutive Review Board.\n\n      The Business Council is responsible for ensuring that projects\nand investments recommended by program managers are consistent\nwith the DEA\xe2\x80\x99s mission, strategic plan, capital planning goals, EA, and\nsecurity policy. The Deputy Assistant Administrator, Office of\nInformation Systems, chairs the Business Council.\n\n      The Compliance Council is responsible for evaluating IT\ninvestments and the DEA\xe2\x80\x99s EA to ensure compliance with legislative\nregulations and DEA policy. The Chief of the Strategic Business\nManagement Section, Office of Information Systems, who is also the\nChief Architect, chairs this committee.\n\n       In accordance with OMB guidance and best practices as outlined\nby the Federal CIO Council, the DEA has begun the construction of an\nEA. At the time of our audit, the DEA had completed a high-level\n\xe2\x80\x9cas is\xe2\x80\x9d EA. A high-level \xe2\x80\x9cas is\xe2\x80\x9d EA is a representation of current\ncapabilities and technologies and is expanded as additional segments\nare defined.\n\n      The DEA\xe2\x80\x99s high-level \xe2\x80\x9cas is\xe2\x80\x9d EA defines four architectural layers:\n1) the business processes to accomplish the mission, 2) the\ninformation, 3) the software applications supporting the business, and\n4) the technology necessary to perform the mission. The DEA\xe2\x80\x99s CIO\nhas approved the DEA\xe2\x80\x99s high-level \xe2\x80\x9cas is\xe2\x80\x9d EA.\n\n      As stated previously, in December 2001 the DEA developed the\n\xe2\x80\x9cITIM Process and Transition Plan\xe2\x80\x9d in an effort to improve its IT\ninvestment management practices and comply with the Department\xe2\x80\x99s\nand other statutory regulations. The purpose of the plan is to better\nensure that technological resources are linked to the DEA mission and\nIT Strategic Plan while providing a solid return on investment.\nAccording to the plan, the DEA would phase in ITIM over three years,\nin three phases ending in FY 2004. Each phase would correspond to\none fiscal year. Phase 1 would focus on the business and budget side\nof ITIM, while Phases 2 and 3 would focus on the technical side. Also,\nin Phase 2 ITIM would integrate security activities, and in Phase 3 ITIM\nwould integrate EA activities.\n\n\n                                 - 14 -\n\x0c      The following excerpts from the plan provide an overview of how\nthe DEA\xe2\x80\x99s select, control, and evaluate processes for ITIM are intended\nto operate.\n\n       Select\n\n       During the Select Phase, new projects are introduced to the\n       Executive Review Board for consideration. A program manager\n       prepares a Concept Proposal for funding consideration by the\n       Executive Review Board.11 When completed, the program\n       manager sends the Concept Proposal to the ITIM Management\n       Group to be processed through the Business Council and the\n       Executive Review Board. If the Executive Review Board\n       determines that the concept has merit, then the program\n       manager may spend an initial amount of money to prepare a\n       business case for inclusion in the budget process.12\n\n       Control\n\n       During the Control Phase, funded investments are under\n       development. A program manager submits monthly status\n       reports to the ITIM Management Group for analysis. These\n       reports include expenditures and work completed to date. The\n       ITIM Management Group collects this information for the entire\n       portfolio, analyzes the data, and identifies investments that\n       might be at risk. The ITIM Management Group follows up with\n       at-risk investments to determine if problems exist and how the\n       problems should be solved.\n\n      Evaluate\n\n       During the Evaluate Phase, all IT investments currently in\n       operation or maintenance and in need of continued funding are\n       monitored to ensure that the investment is appropriately\n       managed and continues to produce expected results and mission\n       benefits. Periodic progress reviews are conducted to evaluate\n       the investment\xe2\x80\x99s continued value to mission benefits and\n       alignment with EA direction. The Business Council\n\n       11\n          The Concept Proposal is a 2- to 5- page document that presents a\nhigh- level concept for a new investment. At this stage, the document represents an\nidea that the program manager wishes to bring to the attention of the Executive\nReview Board for funding consideration.\n       12\n          The funding for preparing the business case is not included as a line item\nwithin the DEA\xe2\x80\x99s approved budget. The program manager must find alternative\nresources to produce the business case.\n                                        - 15 -\n\x0c      predetermines which investments are candidates for retirement\n      or upgrade, and passes this recommendation to the Executive\n      Review Board, which uses this information for funding decisions.\n\n      The JMD officially approved the DEA\xe2\x80\x99s Plan in March 2002. The\nMarch 2002 approval letter states that the DEA ITIM process conforms\nto the guidelines defined by the GAO, the OMB, and the Department.\nFurther, it states that the Plan is clear and comprehensive in its\nstatement of the ITIM policy and its definition of organizational roles,\nresponsibilities, and deliverables.\n\n\n\n\n                                 - 16 -\n\x0c                FINDINGS AND RECOMMENDATIONS\n\nFinding 1: Enterprise Architecture\n\n      The DEA is in the process of developing its EA, scheduled\n      to be completed in September 2004, that should provide a\n      blueprint that will enable the DEA to more effectively and\n      efficiently manage its current and future IT infrastructure\n      and applications. The DEA has completed much of its EA,\n      with the exception of developing a target architecture and\n      a transition plan to accomplish the target architecture.\n      The DEA has established a foundation consistent with the\n      EA Management Framework to build its EA program. The\n      DEA has assigned roles and responsibilities for developing\n      the EA, committed resources, and established plans for\n      completing the remaining EA stages. In addition, the DEA\n      has developed a general, high-level description of its\n      existing, or \xe2\x80\x9cas is,\xe2\x80\x9d architecture. The DEA is effectively\n      managing its EA under the structure completed to date.\n      However, without a completed EA, any organization\n      assumes some degree of risk that it might invest in IT that\n      is duplicative, not well-integrated, costly, or not supportive\n      of the agency\xe2\x80\x99s mission. In continuing to develop its EA,\n      the DEA is taking steps to mitigate such risks. By\n      completing its EA, the DEA will minimize the risks even\n      further and provide a realistic vision of its future IT\n      requirements.\n\nSynopsis of the Five Stages of the EA Management Framework\n\n       To implement the five stages of the EA Management Framework,\nthe DEA must also complete four critical success attributes:\n1) demonstrates commitment, 2) provides the capability to meet the\ncommitment, 3) demonstrates satisfaction of commitment, and\n4) verifies satisfaction of commitment. Each attribute contains core\nelements that contribute to the effective implementation and\ninstitutionalization of the critical success attribute. Collectively, these\nattributes form the basis by which an organization can institutionalize\nmanagement of any given function or program.\n\n      Stage 1. At this stage, there are no core elements to be\ncompleted. However, the DEA must create an awareness of the value\nof developing and using an EA by providing the management\n\n\n\n                                  - 17 -\n\x0cfoundation necessary for successful EA development as defined in\nStage 2. 13\n\n     Stage 2. To complete this stage, the DEA needs to: 1) assign\nEA management roles and responsibilities; 2) commit the resources \xe2\x80\x93\npeople, processes, and tools \xe2\x80\x93 necessary to develop an architecture;\nand 3) establish plans to develop EA products and measure program\nprogress and EA product quality. As of April 2004, the DEA had\ncompleted about 90 percent of the EA Management Framework criteria\nfor meeting the Stage-2 level of maturity.\n\n      Stage 3. The DEA is moving from building the EA management\nfoundation to developing EA products for Stage 3. To complete\nStage 3, the DEA must: 1) establish organization policy for the EA\ndevelopment; 2) ensure that EA products are under configuration\nmanagement; 3) ensure that EA products describe both the current\nand target environments of the agency; and 4) ensure that progress\nagainst EA plans is measured and reported.14 As of April 2004, the\nDEA had completed one EA product \xe2\x80\x93 the current architecture.\n\n      Stage 4. Additional work must be completed before the EA is\nused as intended in Stage 4 \xe2\x80\x93 to drive sound IT investments that are\nconsistent with the DEA\xe2\x80\x99s goals and missions. To complete the stage,\nthe DEA needs to: 1) establish policy for maintaining the EA, and\n2) complete the EA including the current and target architectures\nalong with the transition plan to get from the current to the targeted\nenvironments. The completed EA must be described in terms of\nbusiness, data, application, and technology and the descriptions must\naddress security; and it must be approved by the DEA\xe2\x80\x99s CIO and the\nExecutive Review Board. The DEA is working on adding more detail to\nthe high-level description of its current EA and developing the target\narchitecture, for a completion date by September 2004.\n\n      Stage 5. To reach Stage 5 maturity, an agency is using the EA\nas intended \xe2\x80\x93 to drive IT investments and ensure systems\xe2\x80\x99\ninteroperability. The DEA has not completed the EA Management\nFramework criteria for Stage 5, however, once Stage 4 has been\ncompleted in September 2004, the DEA will then be in a position to\n\n\n\n      13\n        See Appendix 7 for a table showing DEA\xe2\x80\x99s EA progress through Stage 3 of\nthe EA Management Framework.\n      14\n         Configuration management is the process of managing changes to IT\nsystems or hardware.\n\n                                     - 18 -\n\x0cimplement its EA as required in Stage 5. The status of each EA\nManagement Framework stage in the DEA follows.\n\nStage 1 Completed\n\n      The DEA has created an awareness of the value of developing\nand using the EA by providing the management foundation necessary\nfor successful EA development as defined in Stage 2. Specifics about\nhow the DEA accomplished this are discussed in detail in Stage 2.\n\nStage 2 Ninety-Percent Completed\n\n       The DEA has completed eight of the nine core elements required\nby the EA Management Framework and has achieved three of the four\ncritical attributes. The remaining attribute to be completed is verifying\nthat management\xe2\x80\x99s commitment to the establishment of the EA has\nbeen satisfied through the development of measures for EA progress,\nquality, compliance, and return on investment.\n\nCritical Attribute 1: Demonstrates Commitment\n\n      To complete the first critical attribute for Stage 2 of the EA\nManagement Framework, the DEA demonstrated its commitment to\nbuilding an EA management foundation by establishing two core\nelements:\n\n      1) to ensure the existence of adequate resources, and\n\n      2) to establish DEA-wide committees responsible for directing,\n         overseeing, and approving the EA.\n\n       Adequate Resources. According to the EA Management\nFramework, obtaining adequate resources includes: 1) identifying and\nsecuring the funding necessary to support EA activities; 2) hiring and\nretaining the right people with the proper knowledge, skills, and\nabilities to plan and execute the EA program; and 3) selecting and\nacquiring the right tools and technology to support EA activities.\n\n      The DEA initiated the development of an EA program in 2002\nand estimates that it will cost approximately $2.7 million to complete\nthe EA by September 2004. The following table shows the DEA\xe2\x80\x99s\nexpenditures as of FY 2003 to develop an EA and the estimated cost to\ncomplete the EA to Stage 5, or full maturity.\n\n\n\n                                 - 19 -\n\x0c                            EA Development Cost\n\n                         Actual Cost            Estimated\n          Cost            Through               Remaining       Estimated\n        Element             FY 03                  Cost         Total Cost\n      Agency\n      Personnel               $188,000            $417,000         $605,000\n      Development\n      Contractor              $345,000           $1,727,000 $2,072,000\n      Tools                         $0              $30,000    $30,000\n      Training                  $3,500              $10,000    $13,500\n      Total                  $536,500           $2,184,000 $2,720,500\n\n       Source: The Drug Enforcement Administration.\n\n      In FY 2002, the DEA spent $667,000 from its base\nappropriations for EA development. In FY 2003 the DEA requested an\nadditional $400,000 to continue developing EA, but the funding was\nnot approved. According to the DEA\xe2\x80\x99s EA Chief Architect, approval of\nthe requested amount would have allowed the DEA to complete a\ndetailed description of the existing architecture more quickly.15 She\nalso stated that the DEA was able to contract out the EA development\nproject using funds from other sources.\n\n       The DEA has allocated 4.25 full time equivalent staff \xe2\x80\x94\nbut assigned 3.25 full time equivalent staff (.5 managers, .5 staff\nmembers, and 2.25 contractors) \xe2\x80\x94 in support of EA efforts and\ncompletion of the current EA. The Deputy Assistant Administrator of\nthe DEA\xe2\x80\x99s Office of Information Systems, which is the office\nresponsible for developing the DEA\xe2\x80\x99s EA, is currently serving as the\nChairman of the Department\xe2\x80\x99s EA committee. The Chief Architect, who\nestablished the foundation for the DEA\xe2\x80\x99s EA, had transferred to the\nDEA from the Department\xe2\x80\x99s Justice Management Division where she\nhad dealt with technology issues. The DEA\xe2\x80\x99s Program Office has two\nsenior analysts and one junior analyst assigned to work on completing\nthe EA.16 Additionally, the DEA hired a contractor in October 2003 to\naid in the completion of the EA.\n\n\n       15\n         The Chief Architect retired in March 2004, and an Acting Chief Architect was\ndesignated.\n       16\n        The Program Office was established within the Office of Information\nSystems to oversee the development and maintenance of the EA.\n\n                                       - 20 -\n\x0c      In addition to funding and human resources, the DEA has\nacquired tools and technology to support its EA activities. The DEA\nuses the Popkin System Architect (Popkin) as its automated EA tool.17\nAccording to the Chief Architect, one reason the DEA chose Popkin is\nthat the Department is also using Popkin and the future integration of\nthe DEA\xe2\x80\x99s EA with the Department\xe2\x80\x99s EA may be more easily achieved.\nBecause the DEA has just recently begun using the Popkin tool, we did\nnot assess its effectiveness in clearly and completely documenting the\nDEA\xe2\x80\x99s EA, but we agree that using the same tool as the Department\nshould aid in the future integration of the agency\xe2\x80\x99s EA with the\nDepartment\xe2\x80\x99s EA.\n\n      EA Governing Committees. The EA Management Framework\nstates that an agency should assign responsibility for directing,\noverseeing, and approving architectures to a committee or group with\ncross-representation from throughout the enterprise. Establishing\nagencywide responsibility and accountability is important to\ndemonstrate the agency\xe2\x80\x99s commitment to building a management\nfoundation for the EA and obtaining buy-in from across the agency.\nAccordingly, the committee or group should include executive-level\nrepresentatives from each line of the business, and these executive\nrepresentatives should have the authority to commit resources and\nenforce decisions within their respective organizational units.\n\n      To meet the requirements of the EA Management Framework,\nthe DEA established three governing committees: 1) the Executive\nReview Board, 2) the Business Council, and 3) the Compliance Council.\nTogether, the three governing committees are responsible for ensuring\nthat the DEA\xe2\x80\x99s EA meets all federal and Departmental requirements.\n\n      The Executive Review Board is responsible for providing\nleadership to implement a managed IT capital planning and investment\ncontrol process. The IT capital planning and investment process\nincludes the development and maintenance of an agencywide EA.\nThe Executive Review Board has the authority to recommend or\napprove:\n\n       \xe2\x80\xa2    the continuation, modification, or termination of funding for IT\n            investments;\n\n       \xe2\x80\xa2    the delay of a subsequent activity in a project plan;\n\n       \xe2\x80\xa2    corrective action based on the results of the board\xe2\x80\x99s review;\n\n       17\n        The Popkin System Architect is an enterprise architecture tool that stores\nand organizes the agency\xe2\x80\x99s overall EA information.\n                                       - 21 -\n\x0c      \xe2\x80\xa2    members of the Business Council; and\n\n      \xe2\x80\xa2    changes to the DEA\xe2\x80\x99s EA and its ITIM process.\n\n      The Executive Review Board\xe2\x80\x99s responsibility to the EA\ndevelopment consists of approving the completed EA and any\nsubsequent changes. Consequently, it would not meet until the EA is\ncompleted. At this point of the EA development process, the EA\nProgram Office is responsible for ensuring the integrity of the EA in\nmeeting the DEA\xe2\x80\x99s mission and goals.\n\n      The DEA\xe2\x80\x99s Chief Information Officer and the DEA\xe2\x80\x99s CFO jointly\nchair the Executive Review Board. In our judgment, the membership\nof the Executive Review Board demonstrates an agencywide leadership\ncommitment to the EA process.18 The Executive Review Board\nmembership consists of the following:\n\n      \xe2\x80\xa2    Assistant Administrator, Operational Support Division, and\n           CIO.\n\n      \xe2\x80\xa2    Chief Counsel, Office of the Chief Counsel.\n\n      \xe2\x80\xa2    Deputy Assistant Administrator, Office of Diversion Control.\n\n      \xe2\x80\xa2    Chief Financial Officer, Financial Management Division.\n\n      \xe2\x80\xa2    Assistant Administrator, Human Resources.\n\n      \xe2\x80\xa2    Assistant Administrator, Intelligence Division.\n\n      \xe2\x80\xa2    Chief Inspector, Inspections Division.\n\n      \xe2\x80\xa2    Chief, Office of Congressional and Public Affairs.\n\n      \xe2\x80\xa2    Special Agent-in-Charge, Office of Training; and\n\n      \xe2\x80\xa2    Special Agent-in-Charge, Advisory Council.\n\n      The Business Council\xe2\x80\x99s primary responsibility is to ensure that\nprojects and investments recommended by program managers are\nconsistent with the DEA\xe2\x80\x99s mission, strategic plan, capital planning\ngoals, EA, and security policy. The Business Council members function\n\n      18\n         For a further breakdown of how DEA divisions are laid out, see the DEA\nOrganization Chart in Appendix 5.\n                                      - 22 -\n\x0cas the working level experts for the ITIM process by providing\nbusiness expertise specific to their respective business unit. The\nBusiness Council\xe2\x80\x99s membership is at the Grade-15 level and includes a\nrepresentative from every organizational unit within the DEA. The\nDeputy Assistant Administrator, Office of Information Systems, chairs\nthe Business Council.\n\n      The Compliance Council is responsible for evaluating IT\ninvestments and the DEA\xe2\x80\x99s EA to ensure compliance with legislative\nregulations and DEA policy. The Compliance Council consists of\nmembers whose day-to-day responsibilities involve a compliance area.\nThe members work to ensure compliance with such areas as the\nFederal Enterprise Architecture, the Government Performance and\nResults Act, and the Government Information Security Reform Act.\nThe Chief of the Strategic Business Management Section, Office of\nInformation Systems chairs this committee.\n\nCritical Attribute 2: Provides Capability to Meet Commitment\n\n     The completion of the second critical attribute for achieving\nStage 2 requires the DEA to establish three core elements:\n\n      1) to establish a program office responsible for EA development\n         and maintenance;\n\n      2) to appoint a Chief Architect; and\n\n      3) to develop the EA using a framework, methodology, and\n         automated tool.\n\n      The DEA has implemented the three core elements above to\nachieve Critical Attribute 2.\n\n      EA Program Office. The EA Management Framework states that\nEA development and maintenance should be managed as a formal\nprogram. Accordingly, responsibility for EA management should be\nassigned to an organizational unit and not an individual. The\nCIO Practical Guide, discussed in the Background section of this report,\nstates that the primary responsibility of the EA Program Office is to\nensure the success of the EA program.\n\n      In response to the Framework and the CIO Practical Guide, the\nDEA reorganized its Office of Information Systems to include a\nStrategic Business Analysis Section as the EA Program Office\n\n\n                                 - 23 -\n\x0c(Program Office). The Program Office is responsible for the\ndevelopment and maintenance of the DEA EA.\n\n       To accomplish its responsibility, the Program Office coordinates\nwith offices throughout the DEA as well as external IT organizations;\nassists DEA customers in developing their concepts and plans for the\napplication of IT to their business processes; and also assists\ncustomers with the ITIM process. Further, the Office of Information\nSystems proposed a staffing level that would enable the Program\nOffice to complete its work. The following table shows the Strategic\nBusiness Analysis Section\xe2\x80\x99s proposed staffing level, and the staffing\nlevel as of February 2004.\n\n                         Proposed Staffing for the\n                    Strategic Business Analysis Section\n\n                                                       Proposed        Staffing\n                                                        Staffing       Level As\n        Title                  Series/Grade              Level         Of 2/04\n    Section Chief\n    Supervisory\n Computer Specialist            GS-2210/15                  1               1\n      Unit Chief\n    Supervisory\n Computer Specialist           GS-2210/14                   2               1\n Computer Specialist           GS-2210/13                   4               2\n Management Analyst          GS-0301/9/11/12                2               1\n     Contractors                                            7               4\n\n            Total                                          16               9\n\n       Source: The Drug Enforcement Administration.\n\n      As the above table shows, the section\xe2\x80\x99s staff consists of a chief,\nthree computer specialists, and one management analyst. Two of the\nthree computer specialists on board were assigned to help complete\nthe EA. As of April 2004, seven contractor personnel were allocated to\nthe section, but only four had completed the security clearance\nprocess and were on board.\n\n       Even though the proposed staffing level for the section was not\nfully achieved, the DEA began developing the EA and implementing the\nITIM process.19 As stated previously, the DEA has documented its\n\n       19\n           The DEA\xe2\x80\x99s progress in the implementation of the ITIM process is discussed\nin Finding 2 of this report.\n                                       - 24 -\n\x0chigh-level current architecture outlining the agency\xe2\x80\x99s business areas,\napplications, data, and technology. According to the DEA\xe2\x80\x99s\nChief Architect, not having the full complement of staff slowed\nprogress toward completing the EA.\n\n      Chief Architect. The CIO Practical Guide and the EA\nManagement Framework state that an agency should appoint an\nexecutive as Chief Architect, who is responsible and accountable for\nthe EA, and whose background and qualifications include both the\nbusiness and technology areas of the organization. Additionally, the\nChief Architect is responsible for ensuring the integrity of the EA\ndevelopment process and for the content of the EA products.\n\n      The DEA appointed the head of the Strategic Business Analysis\nSection as the Chief Architect. As discussed previously, this person\ntransferred from the Department\xe2\x80\x99s Justice Management Division where\nshe participated in business (including budgeting) and technology\nissues. The Chief Architect is responsible for:\n\n      \xe2\x80\xa2    developing, implementing, and managing the DEA\xe2\x80\x99s EA;\n\n      \xe2\x80\xa2    planning the transition from the current to the future EA, and\n           monitoring the implementation of the transition plan;\n\n      \xe2\x80\xa2    monitoring and evaluating whether IT investments are\n           consistent with the current and the future EA; and\n\n      \xe2\x80\xa2    developing processes, procedures, guidance, tools, and\n           templates to carry out the DEA\xe2\x80\x99s EA program.\n\n      Framework, Methodology, and Automated Tool. The DEA uses a\ncombination of two frameworks to develop its EA. One framework is\nknown as the Federal Enterprise Architecture Framework (FEAF), and\nthe other is the Zachman Framework \xe2\x80\x93 named after John Zachman, a\nrecognized leader in the EA field.\n\n     The FEAF is intended to provide federal agencies with a common\nway of constructing their respective architectures.20 According to the\nGAO, the FEAF facilitates the coordination of common business\nprocesses, technology insertion, information flows, and system\n\n\n      20\n       The federal CIO Council published the Federal Enterprise Architecture\nFramework in September 1999. See Appendix 8 for a graphic illustration of the\nFEAF.\n\n                                      - 25 -\n\x0cinvestments among federal agencies. The FEAF describes an\napproach, including models and definitions, for developing and\ndocumenting architecture descriptions for different segments of the\nfederal government. Similar to the Zachman Framework, the FEAF\xe2\x80\x99s\nproposed model describes an entity\xe2\x80\x99s business, data necessary to\nconduct the business, applications to manage the data, and technology\nto support the applications.\n\n      The Zachman Framework provides six perspectives, or\nviewpoints, on how an agency operates: 1) the strategic planner,\n2) the system user, 3) the system designer, 4) the system developer,\n5) the subcontractor, and 6) the system itself. The Zachman\nFramework also provides six models associated with each of the six\nviewpoints: 1) how the agency operates, 2) what the agency uses to\noperate, 3) where the agency operates, 4) who operates the agency,\n5) when the agency\xe2\x80\x99s operations occur, and 6) why the agency\noperates.\n\n      The DEA saw benefits in both frameworks and combined these\ntwo concepts in developing its EA. However, the DEA has been more\nconcerned about ensuring that the EA aligns with the FEAF since that\nframework will eventually be used by the entire federal government.\n\n      The DEA\xe2\x80\x99s methodology to develop its EA is a three-phase\napproach.\n\nPhase 1. Includes documenting, at a high-level, what currently exists\nwithin the DEA in terms of business areas, applications, data, and\ntechnology.\n\nPhase 2. Includes 1) providing more detail to the current\narchitecture, 2) goals and objectives stated in the Department and the\nDEA strategic plans, 3) performance measures, 4) aligning the DEA\xe2\x80\x99s\narchitecture with the Federal Enterprise Architecture reference models,\nand 5) aligning the architecture with the DEA\xe2\x80\x99s capital planning\nprocess.\n\nPhase 3. Includes the establishment of the target architecture,\nincluding security compliance and the development of a transition\nplan.\n\n      The DEA completed Phase 1 of the EA development in\nDecember 2002. In February 2003, the DEA\xe2\x80\x99s CIO submitted the\nhigh-level description of the DEA\xe2\x80\x99s current EA to the three DEA IT\ngoverning boards for inclusion in the budget process. In March 2004,\n\n                                - 26 -\n\x0cthe DEA told us that its contractor completed Phase 2, and the DEA\nwas in the process of reviewing the contractor\xe2\x80\x99s work for compliance\nwith the FEAF requirements. As of April 2004, the DEA had not begun\nPhase 3 of the EA project.\n\n      An EA automated tool serves as the storehouse of the\narchitecture products. Architecture products include the current and\ntarget architectures and the transition plan. The choice of tool is\nbased on the agency\xe2\x80\x99s needs and the size and complexity of the\narchitecture. As stated previously, the DEA has chosen the Popkin\nautomated tool to store its architecture products. The DEA chose\nPopkin because the Department is also using Popkin and the future\nintegration of the DEA\xe2\x80\x99s EA with the Department\xe2\x80\x99s EA may be more\neasily achieved. Because the DEA has just recently begun using the\nPopkin tool, we did not assess its effectiveness in clearly and\ncompletely documenting the DEA\xe2\x80\x99s EA, but we agree that using the\nsame tool as the Department should aid in the future integration of\nboth EAs.\n\nCritical Attribute 3: Demonstrates Satisfaction of Commitment\n\n      The completion of the third critical attribute for achieving\nStage 2 requires the DEA to establish an EA Program Plan that\nincludes the following core elements:\n\n      1) describes both the current and the target architectures as\n         well as a transition plan;\n\n      2) describes the current and target architectures in terms of\n         business, performance, information, application, and\n         technology; and\n\n      3) determines the application of security within each\n         architectural area.\n\n      We evaluated the DEA\xe2\x80\x99s EA Program Plan and found that the\nplan complies with the criteria established in the framework, and\ndemonstrates completion of the third critical attribute.\n\n      Current and Target Architectures, and Transition Plan. The\nCIO Council requires that agencies have a written EA Program Plan.\nThe plan should describe the steps to be taken and the tasks to be\nperformed in managing the EA program. The plan should also make\nprovision for the development of architectural descriptions of how the\norganization currently operates (the current), how it intends to operate\n\n                                  - 27 -\n\x0cin the future (the target), and how it will transition from the current to\nthe target environment (the transition).\n\n     The DEA has developed a plan in accordance with the CIO\nCouncil\xe2\x80\x99s guidelines. According to the DEA Program Plan, the DEA will:\n\n      \xe2\x80\xa2   establish a DEA-wide current architecture that is consistent\n          with the OMB EA reference models and the Department\xe2\x80\x99s EA\n          program,\n\n      \xe2\x80\xa2   develop a component-based target architecture focused on\n          the delivery of enterprise-wide and business-process level IT\n          solutions,\n\n      \xe2\x80\xa2   establish a target architecture-driven ITIM and IT Strategic\n          Planning process, and\n\n      \xe2\x80\xa2   establish a transition plan.\n\n       Security. In the Program Plan, the DEA states that the\nrequirements associated with information security are guided by\nlegislation, including the Federal Information Security Management\nAct. As a result, the security elements of the EA will be embedded\nwithin the target EA as a specific EA layer.\n\n      The plan requires the DEA\xe2\x80\x99s EA to comply with EA regulations\nand guidance available to federal agencies. The DEA is using various\nguidance to complete the EA including: Annual Performance Plan,\nStrategic Plan, IT Strategic Planning, IT Capital Planning, EA Analyses\nReports, Communications Plan, IT Governance Plan, and Transition\nPlan. According to the DEA, the guidance is used in establishing a\nbalance between the detail of the architecture and cost constraints of\nthe architecture program.\n\n      Detailed analyses of the current architecture will allow the DEA\nto identify areas in which applications could be combined and where\nfuture investments are necessary. The results of these analyses form\nthe basis for the target architecture. As stated previously, the DEA\nhas completed a high-level description of its current architecture and is\nworking on adding more detail to the current architecture and\nbeginning to develop the high-level target architecture. The current\narchitecture describes to the DEA the current state of business\noperations and information exchange within and across the\norganization, but it does not show where the DEA wants to go in the\nfuture.\n\n                                   - 28 -\n\x0cCritical Attribute 4: Verifies Satisfaction of Commitment\n\n      The completion of the fourth critical attribute to achieve Stage 2\nrequires the DEA to ensure that the Program Plan calls for the\nfollowing core element:\n\n      1) developing metrics for measuring EA progress, quality,\n         compliance, and return on investment.\n\n      The measurement of EA progress, quality, and compliance is\nnecessary to ensure that the EA meets the targeted milestones and is\ncompliant with the necessary regulatory requirements. Measuring\nreturn on investment would tell the DEA what benefits are realized by\nthe development of the EA in relation to the cost of the EA\ndevelopment.\n\n      Developing Metrics for Measuring EA Progress. The DEA has not\nyet established metrics for measuring EA progress, quality,\ncompliance, and return on investment. The DEA Chief Architect told\nus that these metrics would be developed at a later unspecified date.\n\n      EA Stage 2 Summary\n\n     The DEA has completed nearly 90 percent of Stage 2 and has\nmade progress toward attaining Stage 3 as required by the EA\nManagement Framework.\n\nStage 3 Progress\n\n       In Stage 3, the DEA must implement six core elements within\nthe four critical attributes required by the EA Management Framework.\nThe DEA has partially completed one of the four critical attributes,\ncritical attribute 3, which requires the DEA to ensure that the current\nand target architectures are described in terms of business, data,\napplication, and technology.\n\nCritical Attribute 1: Demonstrate Commitment\n\n     To complete the first critical attribute for Stage 3 of the EA\nManagement Framework, the DEA must establish the following core\nelement:\n\n      1) develop a written and approved organization policy for the EA\n         development.\n\n\n                                 - 29 -\n\x0c       According to the EA Management Framework, an organization\npolicy is an important means for ensuring agencywide commitment to\ndeveloping the EA and for clearly assigning responsibility for doing so.\nThe architecture policy should define the scope of the architecture as\nincluding a description of the current and target architecture, as well\nas a transition plan that supports the move from the current to the\ntarget architecture. Additionally, the policy should provide for having\nprocesses for EA oversight and control, review, and validation. The\npolicy should also address the purpose and value of an EA; its\nrelationship to the organization\xe2\x80\x99s strategic vision and plans; and its\nrelationship to capital planning process.\n\n       The DEA has not established a formal written and approved\norganization policy for the EA development. However, the DEA has\nestablished the required elements of the EA development policy in\ndifferent ways.\n\n      As described in Stage 2, the DEA established the IT governing\nboards with representation from all DEA business areas to ensure\nagencywide commitment to EA development. The DEA also\nestablished the EA Program Office with responsibility for developing\nthe EA. In addition, the EA Program Management Plan \xe2\x80\x93 discussed in\nStage 2 \xe2\x80\x93 outlines the scope of the architecture including a description\nof the current and target architecture, as well as the transition plan.\nThe EA Program Management Plan also addresses EA oversight,\ncontrol, review, and validation responsibilities. Further, the DEA\xe2\x80\x99s CIO\noutlined the value of the EA, its relationship to the organization\xe2\x80\x99s\nstrategic vision and plans, and the capital-planning process in the\nDEA\xe2\x80\x99s IT Strategic Plan. However, having the EA development\ninformation together in the form of an organization policy will allow\nany DEA staff member to consult one document for information\nconcerning the development and implementation of the DEA EA.\n\n Critical Attribute 2: Provides Capability to Meet Commitment\n\n     The completion of the second critical attribute for achieving\nStage 3 maturity requires the DEA to establish the following core\nelement:\n\n      1) ensure that EA products are under configuration\n         management.21\n\n\n\n      21\n         Configuration management is the process of managing changes to IT\nsystems or hardware.\n                                     - 30 -\n\x0c      As of May 2004, the DEA current architecture had not met this\nstandard. The DEA\xe2\x80\x99s Chief Architect told us that configuration\nmanagement within the DEA is evolving and the DEA is moving toward\nestablishing an office to manage it.\n\n      At the time of our audit, the DEA was in the process of\nestablishing a Quality Management Unit within the Office of\nInformation Systems. The Quality Management Unit will be\nresponsible for configuration management of the DEA IT infrastructure\nincluding the EA. The EA is intended to reflect the impact of ongoing\nchanges in business function and technology on the agency, and\nsupport capital planning and investment management in keeping up\nwith these changes. Consequently, the completed EA \xe2\x80\x93 current\narchitecture, target architecture, and transition plan \xe2\x80\x93 need to be kept\naccurate and current.\n\nCritical Attribute 3: Demonstrates Satisfaction of Commitment\n\n     The completion of the third critical attribute for achieving\nStage 3 maturity requires the DEA establish three core elements:\n\n      1) ensure that EA products describe or will describe the current\n         and target agency environments, as well as the transition\n         plan;\n\n      2) ensure that the current and target environments are\n         described in terms of business, data, application, and\n         technology; and\n\n      3) ensure that the business, data, application, and technology\n         descriptions address or will address security.\n\n       Current and Target Architectures, and Transition Plan. According\nto the EA Program Plan, EA products will describe the current and\ntarget agency environments as well as the transition plan. As stated\nearlier, the DEA has not completed all components of the EA.\nHowever, it has completed a high-level description of its existing\narchitecture and has plans to complete the target architecture and\ntransition plan by September 2004.\n\n      The EA Program Plan also states that EA products \xe2\x80\x93 current and\ntarget architectures and the transition plan \xe2\x80\x93 will be described in terms\nof business, data, application, and technology. To show its\ncommitment to the plans outlined in the EA Program Plan, the DEA\xe2\x80\x99s\n\n\n                                 - 31 -\n\x0chigh-level description of the existing architecture was described in\nterms of business, data, application, and technology.\n\n     Security. In the EA Program Plan, the DEA stated that security\nwould be addressed as a specific layer within the target architecture.\n\nCritical Attribute 4: Verifies Satisfaction of Commitment\n\n     The completion of the fourth critical attribute to achieve Stage 3\nmaturity requires the DEA to establish the following core element:\n\n      1) ensure that progress against EA plans is measured and\n         reported.\n\n     As stated in Stage 2, the DEA has not established metrics for\nmeasuring EA progress. The measurement of such progress against\nEA development plans is necessary to ensure that the development\nmeets targeted milestones.\n\n      EA Stage 3 Summary\n\n      The DEA has made limited progress toward attaining Stage 3\nmaturity of the EA Management Framework. The DEA has developed\none EA product, the high-level current architecture. The high-level\ncurrent architecture meets the requirements of the EA Management\nFramework in terms of the business, data, application, and technology\nareas. However, the DEA lacks a written and approved policy for EA\ndevelopment, implementation, and maintenance. In addition, the DEA\nmust ensure that when completed, all EA products undergo\nconfiguration management and that the target architecture addresses\nsecurity as outlined in the EA program plan.\n\nAttaining Stage 4 Maturity\n\n      To complete Stage 4, an agency must: 1) establish policy for\nmaintaining the EA, and 2) complete the EA including the current and\ntarget architectures along with the transition plan to get from the\ncurrent to the targeted environments. The completed EA must be\ndescribed in terms of business, data, application, and technology; and\nthe descriptions must address security and be approved by the agency\nCIO and the committee or group representing the agency or the\ninvestment review board. The DEA has not established a formal\nwritten organization policy for maintaining the EA. However, the\ndocument creating the EA Program Management Office outlines the\nprocedures for maintaining the EA.\n\n                                 - 32 -\n\x0c      To attain Stage 4 maturity, additional work must be completed\nbefore the EA is used as intended \xe2\x80\x93 to drive sound IT investments that\nare consistent with the DEA\xe2\x80\x99s goals and missions. Currently, the DEA\nis working on adding more detail to the high-level description of its EA\nand developing the target architecture. The following chart shows the\nDEA\xe2\x80\x99s timeline for completing its EA by September 2004.\n\n\n                                October 2003 \xe2\x80\x93 January 2004                January 2004 \xe2\x80\x93\n                                                                            March 2004                   March 2004 \xe2\x80\x93 Sept 2004\n\n                                             Develop and Populate Enterprise Architecture Management System (Popkin)\n  DEA Existing Repository\n\n\n\n\n                                                                                               Budget\n                                                                                               Budget Process\n                                                                                                      Process\n                                                          Baseline\n                                                           Baseline\n                            Business\n                             Business     DEA Offices   Architecture\n                                                        Architecture\n                            Reference\n                            Reference\n                              Model                     (Phase\n                                                         (PhaseOne)\n                                                                One)\n                              Model\n\n                                                          Business\n                                          DEA Offices                                                     DEA\n                                                                                                          DEA\n                                                                                                         Target\n                                                                                                         Target\n                            Technical\n                            Technical                                                                 Architecture\n                                                         Performance                                  Architecture\n                            Reference\n                            Reference                                                                  Version\n                                                                               Identify                 Version11\n                             Model\n                             Model                                             Identify               2004                          DEA\n                                                                                                                                     DEA\n                                                                              Enterprise               2004--2007\n                                                                                                              2007\n                                                                              Enterprise                                          Transition\n                                                                                                                                  Transition\n                                          DEA Offices    Stakeholders           Wide\n                                                                                 Wide                                               Plan\n                                                                                                                                     Plan\n                                                                             Opportunities\n                                                                             Opportunities\n                                                         Technology\n                             Service\n                             Service\n                            Reference\n                            Reference\n                             Model                                                                        GISRA\n                                                                                                          GISRA\n                              Model      DEA Offices          Security\n                                                                                                        (FISMA)\n                                                                                                         (FISMA)\n                                                                                                       Compliance\n                                                                                                       Compliance\n\n\n\n\n  Propose a Governance Structure                                                   Establish Governance Structure\n\n                            Source: The Drug Enforcement Administration.\n\n                            Target Architecture\n\n      The DEA\xe2\x80\x99s target architecture will define the vision of the DEA\xe2\x80\x99s\nfuture business operations and supporting technology and will also\ndescribe the desired capability and structure of the business\nprocesses, information needs, and IT infrastructure at some point in\nthe future. Just as the current architecture captured the existing\nbusiness practices, functionality, and information flows, the target\narchitecture will reflect what the DEA needs to evolve its information\nresources.\n\n                            The target architecture, when completed, will identify the:\n\n                            \xe2\x80\xa2     strategic business objectives of the DEA,\n\n                            \xe2\x80\xa2     information needed to support the business,\n                                                         - 33 -\n\x0c      \xe2\x80\xa2   applications needed to provide the information, and\n\n      \xe2\x80\xa2   technology needed to support the applications.\n\nAccording to the CIO Council, a target architecture should:\n\n      \xe2\x80\xa2   reflect the EA team\xe2\x80\x99s judgment about the future uses and\n          characteristics of information within the agency,\n\n      \xe2\x80\xa2   reflect the organization\xe2\x80\x99s business area review requirements\n          for identifying opportunities to automate aspects of work,\n\n      \xe2\x80\xa2   incorporate technology forecasts,\n\n      \xe2\x80\xa2   specify the level of interoperability needed between data\n          sources and the users of the data,\n\n      \xe2\x80\xa2   identify the IT needed to support the agency\xe2\x80\x99s objective as\n          stated in the IT Strategic Plan, and\n\n      \xe2\x80\xa2   reflect concerns with the budget and geographical locations.\n\n       The DEA\xe2\x80\x99s Chief Architect told us that the development of a\ntarget architecture is the most time-consuming and costly portion of\nthe EA development. However, a target architecture is necessary to\nevaluate whether current IT investments are capable of taking the DEA\ninto the technology future.\n\n      Transition Plan\n\n       According to the CIO Council, the process of evolving from an\nexisting architecture to a target architecture is complex and requires\nmultiple inter-related activities. The best way to understand and\ncontrol such a complex process is to develop and maintain a systems\nmigration roadmap, or transition plan.\n\n      A transition plan provides a step-by-step process for moving\nfrom a current architecture to a target architecture. Such a plan is the\nprimary tool used for program management and investment decisions\nbecause the plan represents the current environment as well as any\ndevelopment programs that are planned or underway. To remain\ncurrent and to support continued coordinated improvements across an\nagency, a transition plan should be maintained and updated as time\nand circumstances dictate.\n\n\n                                  - 34 -\n\x0c      In addition to specific development requirements for the new\ncomponents in a target architecture, a transition plan should consider\nincluding a wide variety of inputs such as:\n\n      \xe2\x80\xa2   sustaining operations during a transition,\n\n      \xe2\x80\xa2   the existing technical assets and contractual agreements,\n\n      \xe2\x80\xa2   anticipated management and organizational changes,\n\n      \xe2\x80\xa2   business goals and operational priorities, and\n\n      \xe2\x80\xa2   budgetary priorities and constraints.\n\n      A transition plan defines and differentiates between legacy,\nmigration, and new systems. The legacy systems and their\napplications are those in current operation and usually are phased out\nduring the deployment of a target architecture. Migration systems and\napplications may be in current operation, but certainly will be in\noperation when the transition begins and for some time into the\nfuture. New systems and applications are those that are being\nacquired, are under development, or are being deployed. The new\nsystems and applications are expected to be operational as part of the\ntarget environment.\n\n      A transition plan should form the basis for the DEA\xe2\x80\x99s annual IT\ncapital investment plan, which is a key ITIM component. Until the DEA\ndevelops a transition plan, there is a risk that it may invest in\ntechnology that does not meet the DEA\xe2\x80\x99s missions and goals.\n\n      EA Stage 4 Summary\n\n       To complete its EA, the DEA must develop the target\narchitecture and a transition plan to allow the EA to do as intended \xe2\x80\x93\nto drive IT investments.\n\nAttaining Stage 5 Maturity\n\n      According to the EA Management Framework, an organization at\nStage 5 maturity has: 1) completed the EA, and 2) secured senior\nleadership approval of it. In addition, at Stage 5 decision-makers are\nusing the architecture to identify and address ongoing and proposed IT\ninvestments that are conflicting, overlapping, not strategically linked,\nor redundant. Thus, Stage 5 agencies are able to avoid unwarranted\noverlap across investments and ensure maximum systems\n\n                                  - 35 -\n\x0cinteroperability, which in turn ensures the selection and funding of IT\ninvestments with manageable risks and returns. In essence, an\nagency at Stage 5 maturity is using the EA as intended \xe2\x80\x93 to drive IT\ninvestments and ensure systems interoperability.\n\n      EA Stage 5 Summary\n\n     The DEA cannot meet Stage-5 requirements of the EA\nManagement Framework until it completes the EA.\n\nConclusion\n\n       The DEA continues to make progress toward completing an EA in\naccordance with available guidance and frameworks and has begun to\neffectively manage its EA with the aspects completed to date. As of\nApril 2004, the DEA had completed nearly 90 percent of the EA\nManagement Framework criteria for meeting the Stage 2 level of\nmaturity. The DEA has completed eight of the nine core elements for\nStage 2 required by the EA Management Framework and thereby has\nachieved three of the four critical attributes.\n\n      The DEA has demonstrated its commitment to complete the EA\nby: 1) obtaining senior management buy-in through the EA governing\ncommittees; 2) reorganizing its Office of Information Technology\nSystems to include an office focused on the development,\nimplementation, and maintenance of the EA; and 3) appointing a Chief\nArchitect to ensure the integrity of the EA development process, and\nby selecting a framework, methodology, and automated tool to aid in\ncompleting the EA.\n\n      The DEA has made limited progress toward attaining Stage 3\nmaturity of the EA Management Framework. The DEA has developed\none EA product, the high-level current architecture, which meets the\nrequirements of the EA Management Framework in terms of the\nbusiness, data, application, and technology areas.\n\n      In September 2002, the DEA documented a high-level\ndescription of its \xe2\x80\x9cas is,\xe2\x80\x9d or current, EA using DEA personnel who were\nassisted by a contractor. The development of the current EA is\nrequired to achieve Stage 3 of the EA Management Framework. The\nhigh-level current EA provided the DEA with descriptions of its\nbusiness processes, applications used to carry them out, data used in\naccomplishing them, technology used in implementing them, and\nstakeholders affected by them.\n\n\n                                 - 36 -\n\x0c      However, the high-level \xe2\x80\x9cas is\xe2\x80\x9d EA lacked the detail necessary for\nthe DEA to progress to a \xe2\x80\x9cto be,\xe2\x80\x9d or target architecture. In April 2004,\nthe contractor added the necessary detail, and the DEA accepted the\nproduct after reviewing it to ensure consistency with the Federal\nEnterprise Architecture Framework.\n\n      To attain Stage 3 maturity, the DEA must establish a written and\napproved policy for EA development, implementation, and\nmaintenance, and ensure that EA products undergo configuration\nmanagement. In addition, the DEA must ensure that the target\narchitecture addresses security as outlined in the EA program plan.\n\n      To attain Stage 4 and 5 levels of maturity as described by EA\nManagement Framework, the DEA must complete and begin\nimplementing the EA. To build on its accomplishments, the DEA needs\nto press forward with completing its target architecture and transition\nplan. Without those plans, the DEA cannot ensure that technology\nproposals will meet future IT requirements.\n\nRecommendations:\n\n      We recommend that the DEA:\n\n1.    apply metrics to measure EA progress, quality, compliance, and\n      return on investment;\n\n2.    establish an organization policy for EA development and\n      maintenance that meets the requirements of the EA\n      Management Framework;\n\n3.    ensure that the completed EA undergoes configuration\n      management;\n\n4.    ensure that the target architecture addresses security as\n      outlined in the EA Program Plan; and\n\n5.    complete and implement the remaining EA stages to ensure that\n      IT investments are not duplicative, are well-integrated, are cost\n      effective, and support the DEA\xe2\x80\x99s mission.\n\n\n\n\n                                 - 37 -\n\x0cFinding 2: Information Technology Investment Management\n\n      The DEA has improved the effectiveness of its IT\n      investment management (ITIM) by advancing its level of\n      maturity from Stage 1 to Stage 2 in the five-stage ITIM\n      Framework.22 The DEA has created an awareness of the\n      importance of an IT investment process and has instituted\n      the processes necessary to build an IT investment\n      foundation. The DEA has also established investment\n      boards to ensure that policies for selecting, controlling,\n      and evaluating IT investments are developed and\n      consistently followed throughout the organization. The\n      DEA also has completed about one-third of Stage 3\n      required by the ITIM Framework, including documenting\n      policies and procedures for creating and modifying IT\n      portfolio selection criteria and ensuring that the\n      investment board has approved the IT portfolio selection\n      criteria. In addition, the DEA has implemented the select\n      phase of the ITIM process and has plans to implement the\n      control and evaluate phases in 2004. By advancing to\n      Stage 2 of the ITIM Framework, the DEA has begun to\n      mitigate the risk of basing its IT decisions on judgment,\n      intuition, and partial data rather than on objective,\n      systematic, IT-related information that is routinely\n      collected and analyzed within the ITIM process.\n      Institutionalizing the entire ITIM process will further reduce\n      such risks to the DEA.\n\nSynopsis of the Five Stages of the ITIM Process\n\n      To implement the five stages of the ITIM process, the DEA must\nalso complete five core elements for each critical process listed below.\nThe five core elements are: 1) purpose, 2) organizational\ncommitment, 3) prerequisites, 4) activities, and 5) evidence of\nperformance. With the exception of the \xe2\x80\x9cpurpose\xe2\x80\x9d core element, each\nof the other core elements also contain key practices, which are the\nattributes and activities that contribute most to the effective\nimplementation and institutionalization of a critical process.23\n\n\n      22\n          In Stage 1 an organization has created an IT investment awareness by\ncharacterizing its IT investment process through unstructured processes. In Stage 2\nan organization builds the foundation for current and future investment success by\nestablishing basic IT selection and control processes.\n      23\n         See Appendix 9 for a table showing DEA\xe2\x80\x99s progress through Stage 3 of the\nITIM Framework.\n                                      - 38 -\n\x0c       Stage 1. To complete this stage, the DEA needs to create\ninvestment awareness, using the following critical process: using a\ndisciplined investment process for IT spending. The DEA has created\nan IT investment awareness within the agency.\n\n      Stage 2. The second stage \xe2\x80\x93 building the investment\nfoundation needs \xe2\x80\x93 consists of the following critical processes within\nthe ITIM Framework: instituting the investment board, meeting\nbusiness needs, selecting an investment, providing investment\noversight, and capturing investment information. The DEA has\ncompleted the stage entirely.\n\n      Stage 3. Developing a complete investment portfolio is the\nobjective of this stage. Critical processes include: defining the\nportfolio criteria, creating the portfolio, evaluating the portfolio, and\nconducting post- implementation reviews. The DEA has made\nprogress in completing this stage.\n\n      Stage 4. This stage consists of improving the investment\nprocess and uses the following critical processes: improve the\nportfolio\xe2\x80\x99s performance and manage the succession of information\nsystems. As the DEA\xe2\x80\x99s selection and control processes mature, the\nDEA will begin focusing on improving the established evaluation\nprocesses for this stage.\n\n      Stage 5. Leveraging IT for strategic outcomes is the final stage\nin the ITIM maturity process. The critical processes for this stage are:\noptimizing the investment process and using IT to drive strategic\nbusiness change. The DEA will attain Stage 5 maturity when its\nselection, control, and evaluation processes operate together to\nproduce IT outcomes. The status of the DEA\xe2\x80\x99s ITIM stages follows.\n\nStage 2 Completed\n\n       The DEA has attained a basic ITIM capability (Stage-2 maturity)\nto establish the foundation for effective and replicable IT project-level\ninvestment selection and control processes. Selection processes\nensure that the DEA has an effective methodology for approving only\nthose IT projects that are consistent with its needs and goals.\nEffective control processes ensure that deviations from cost and\nschedule baselines can be identified quickly.\n\n\n\n\n                                   - 39 -\n\x0cCritical Process #1: Instituting the Investment Boards\n\n        According to the ITIM Framework, the purpose of investment\nboards is to ensure that basic policies for selecting, controlling, and\nevaluating IT investments are developed, institutionalized, and\nconsistently followed throughout the organization. Depending on its\nsize, structure, and culture, an organization may have more than one\nIT investment review board. The organization may choose to make\nthe same board responsible for executive guidance and support for the\nEA. Such an overlap of responsibilities may enhance the ability of the\nboards to ensure that investment decisions are consistent with the EA\nand that the EA reflects the needs of the organization.\n\n      In establishing three agencywide IT Investment Boards \xe2\x80\x93 the\nExecutive Review Board, the Business Council, and the Compliance\nCouncil \xe2\x80\x93 the DEA implemented the following key practices as stated in\nthe ITIM Framework:\n\n     \xe2\x80\xa2   established and appointed members to agencywide IT\n         investment boards responsible for defining and implementing\n         the DEA\xe2\x80\x99s IT investment process,\n\n     \xe2\x80\xa2   established an IT investment process for directing the\n         investment boards\xe2\x80\x99 operations,\n\n     \xe2\x80\xa2   provided resources to support the operations of the IT boards,\n\n     \xe2\x80\xa2   ensured that the boards\xe2\x80\x99 members understand the\n         organization\xe2\x80\x99s ITIM policies and the procedures used in the\n         decision-making process,\n\n     \xe2\x80\xa2   ensured that the boards\xe2\x80\x99 spans of authority and\n         responsibilities were defined to minimize overlaps or gaps,\n\n     \xe2\x80\xa2   ensured that the agencywide investment boards have\n         oversight responsibilities for the development and\n         maintenance of the organization\xe2\x80\x99s documented IT investment\n         process,\n\n     \xe2\x80\xa2   ensured that the investment boards operate in accordance\n         with assigned authority and responsibility, and\n\n     \xe2\x80\xa2   established management controls to ensure that the\n         investment boards\xe2\x80\x99 decisions are carried out.\n\n\n                                 - 40 -\n\x0c      Investment Boards. The DEA has established three IT\ninvestment boards: 1) the Executive Review Board, 2) the Business\nCouncil, and 3) the Compliance Council. These three boards are also\nresponsible for executive guidance and support for the EA. The\nboards\xe2\x80\x99 EA responsibilities are discussed in detail in Finding 1 of this\nreport.\n\n      The Executive Review Board\xe2\x80\x99s primary responsibility is to provide\nleadership to enable the implementation of a managed information\ntechnology, capital planning, and investment control process. The\nExecutive Review Board also recommends the continuation,\nmodification, or termination of funding for IT projects. The DEA\xe2\x80\x99s\nChief Information Officer and Chief Financial Officer jointly chair the\nExecutive Review Board. Additional members of the board include\nthree DEA Assistant Administrators, the Chief Counsel, the Chief\nInspector, the Chief of the Office of Congressional and Public Affairs,\nand two Special Agents in Charge.24\n\n      The Business Council\xe2\x80\x99s primary responsibility is to ensure that\nrecommended projects and investments are consistent with the DEA\nmission, strategic plan, capital planning goals, EA, and security policy.\nBusiness Council members function as working-level experts for the\nITIM process by providing business expertise specific to the business\nunits that each member represents. The Deputy Assistant\nAdministrator of the Office of Information Systems chairs the Business\nCouncil, and the members are GS-15 level staff members from every\norganizational unit within the DEA.\n\n      The Compliance Council is responsible for evaluating IT\ninvestments to ensure compliance with legislative regulations and DEA\npolicy. The Chief of the Strategic Business Analysis Group, Office of\nInformation Systems, chairs the Compliance Council. The Compliance\nCouncil\xe2\x80\x99s members include individuals whose day-to-day\nresponsibilities involve a compliance area. The members of the\nCompliance Council work to ensure compliance with such areas as the\nFederal Enterprise Architecture, the Government Performance and\nResults Act, and the Government Information Security Reform Act.\n\n      IT Investment Process. The DEA\xe2\x80\x99s IT Investment Process Guide\nand Transition Plan (Investment Guide), dated December 2001,\ndocuments the agency\xe2\x80\x99s IT investment process. The Investment Plan\ncontains all the elements prescribed by the ITIM Framework including:\n\n\n      24\n        The Assistant Administrators are from the Office of Diversion, Human\nResources Division, and the Intelligence Division.\n                                     - 41 -\n\x0c     \xe2\x80\xa2   a description of the roles of the key people within the DEA\n         investment process,\n\n     \xe2\x80\xa2   an outline of the significant events and decision points within\n         the process,\n\n     \xe2\x80\xa2   an identification of the external and environmental factors\n         that influence the process, and\n\n     \xe2\x80\xa2   the manner in which the IT investment process will be\n         coordinated with the annual budget cycle.\n\n     Adequate Resources. According to the ITIM Framework,\nexecutive management is typically responsible for creating investment\nboards, defining their scope and resources, and specifying their\nmembership. Establishing an investment management working group\ncan benefit both the investment boards and IT project managers by\ncoordinating requests for information providing responses.\n\n      The Chief of the DEA\xe2\x80\x99s Strategic Business Analysis Section told us\nthat the DEA has secured the necessary resources, including staff and\nfunding, to support the operations of the three investment boards.\nTop management support for the operation of the investment boards is\ndemonstrated by the assignment of senior DEA personnel to the\nExecutive Review Board and the Business Council. In addition, the\nDEA has established an ITIM Management Group within the Strategic\nBusiness Analysis Section of the Office of Information Systems. The\nManagement Group provides support, advice, and guidance on\ncarrying out the ITIM process. The Management Group facilitates\naccess to IT experts. The Management Group operates as an\ninvestment management center staffed with DEA and contractor\npersonnel. The Management Group is responsible for providing the\nDEA Administrator, CIO, CFO, and senior leadership with the necessary\nanalytical and project management information for making key\nbudget, financial, and program management decisions affecting the\nfuture use of IT in the DEA. The Management Group is also\nresponsible for overseeing the movement of investment proposals\nthrough the ITIM process, including providing assistance to project\nmanagers.\n\n      Competence. According to the ITIM Framework, to ensure the\nsuccess of an IT investment program, members of investment boards\nshould be familiar with the boards\xe2\x80\x99 policies and procedures and be\ncapable of carrying out their responsibilities competently. Training\nshould be provided for members who have had little or no investment\n\n                                 - 42 -\n\x0cdecision-making experience or relevant education. For example,\ntraining could be provided in economic evaluation techniques, capital\nbudgeting methods, performance measurement strategies, and risk\nmanagement approaches.\n\n      As described in a DEA self-assessment, the members of the\nthree investment boards are qualified to make strategic decisions\nregarding IT investments.25 The DEA\xe2\x80\x99s CIO, who is responsible for\nestablishing the IT investment process, chairs the Executive Review\nBoard. The CIO has extensive experience in IT management.\nAdditionally, the Business Council members are key line managers who\nare knowledgeable about business requirements in their respective\nareas of responsibility.\n\n      Further, the Management Group assists project and program\nmanagers in preparing clear, concise summaries of their investment\nproposals for presentation to the Business Council. According to the\nChief of the Strategic Business Analysis Section, for major\ninvestments, the Management Group provides guidance on scoring\nvarious investment elements and instructs the Business Council on\nhow to complete a scoring worksheet.26\n\n      The Chief of the Strategic Business Analysis Section told us that\nthe DEA recognizes the importance of periodic training for board\nmembers and program managers. For example, in April 2003 before\nthe FY 2005 budget cycle, the DEA CIO issued a memorandum\nencouraging the executive staff and anyone involved with IT\ninvestments to attend one of two training seminars taught by an OMB\nIT investment expert. The training focused on the IT capital planning\nprocess and the development of IT business cases as presented in the\nOMB Exhibit 300, which shows the proposed cost, schedule, and\nperformance goals for the investment.\n\n      Additionally, the DEA partnered with the Department\xe2\x80\x99s Office of\nthe Chief Information Officer (OCIO) to arrange another training\nsession on IT investments in May 2003. The training focused on\nobtaining a five score in the OMB scoring of Exhibit 300 investments.27\n\n      25\n        The self-assessment is a document the agency uses to assess its IT\ninvestment management activities in accordance with the Framework.\n      26\n         The DEA uses a scoring method to rank investment proposals based on how\neach proposal supports the DEA mission. The investment proposal score ranges\nfrom zero to 10.\n      27\n         The OMB scores IT investments on a scale of one to five, with one being\nthe lowest score and five being the highest.\n                                      - 43 -\n\x0cThe DEA obtained the highest score of 5 for 2 of the 11 IT investment\nproposals scored by the OMB. Further, 5 of the 11 IT investment\nproposals obtained a score of 4. An OCIO budget analyst told us that\nthe two perfect scores were the only perfect scores for the Department\nin the FY 2005 budget cycle.\n\n       Avoiding Duplication or Gaps. According to the ITIM Framework,\nthe existence of multiple boards to govern the agency\xe2\x80\x99s IT investment\nprocess requires that criteria governing the boards\xe2\x80\x99 authorities and\nresponsibilities be defined in such a way that there are neither\noverlaps nor gaps in the assigned authorities and responsibilities. The\ncriteria governing the boards\xe2\x80\x99 authorities and responsibilities can be\nbased on: cost, benefit, schedule, and risk thresholds; the number of\nusers affected; the function of the business unit; the lifecycle phase of\nan IT investment; or other comparable and useful measures.\n\n      To ensure that no overlaps or gaps exist within the scope of the\nboards\xe2\x80\x99 authorities and responsibilities, the DEA has created a\nhierarchical approach to the operation of the investment boards.\nBefore the boards become involved in the ITIM process, the\nManagement Group works closely with the project and program\nmanagers to ensure the completeness of the IT investment proposals\nand to monitor the performance of the investments after funding. The\nproposals are forwarded to the Business Council for review and scoring\nbased on the DEA mission and goals. Based on the results of the\nBusiness Council\xe2\x80\x99s review, recommendations are made to the\nExecutive Review Board on the IT projects for which funding has been\nrequested. The Executive Review Board evaluates the\nrecommendations to ensure that the DEA\xe2\x80\x99s mission and goals are\nbeing met through the proposed investment and then makes final\nrecommendations to the DEA Administrator. In reviewing the boards\xe2\x80\x99\nminutes we noted that the boards discussed and scored proposals and\nmade recommendations.\n\n       Oversight Responsibilities. According to the ITIM Framework,\nthe agencywide IT investment boards should be responsible for\ndeveloping an agency-specific IT investment guide to ensure that\ntechnological resources are linked to the agency\xe2\x80\x99s mission and IT\nstrategic plan. The boards\xe2\x80\x99 work processes and decision-making\nprocesses are described and documented in the guidance.\nAdditionally, after the guidance has been developed, the investment\nboards must actively maintain the guidance, making sure that it\nreflects the current structure and processes used to manage the\nselection, control, and evaluation of the organization\xe2\x80\x99s IT investments.\n\n\n                                 - 44 -\n\x0c      The DEA documented its IT investment processes in its\nDecember 2001 Investment Guide. Since the investment boards were\nnot in existence at the time, the DEA formed a temporary working\ngroup consisting of representatives at the management and executive\nlevels to develop the Investment Guide. The Executive Review Board\xe2\x80\x99s\ncharter states that the Executive Review Board must approve all\nchanges to the Investment Guide. Due to the importance of the\nInvestment Guide to the ITIM process, the mandatory approval of any\nchanges to the Investment Guide demonstrates one of the Executive\nReview Board\xe2\x80\x99s key oversight responsibilities.\n\n       Controls. According to the ITIM Framework, establishing\neffective controls helps ensure that management will carry out IT\ninvestment boards\xe2\x80\x99 decisions. Without management controls,\ndecisions made by investment boards might not be implemented\nbecause of conflicting priorities of the boards\xe2\x80\x99 members. To ensure\nthe effectiveness of management controls, the relationship between\nupper management and the investment boards must be documented\nand agreed to by both parties. The investment boards must have the\nconfidence of upper management when deciding on new proposals and\nfunding for ongoing projects.\n\n      The DEA Investment Guide identifies the key DEA players in the\nITIM process as follows: the Administrator, CIO, CFO, other senior\nexecutives who sit on both the Business Council and the Executive\nReview Board, and the Management Group. By including such\nhigh-ranking officials as the key players to manage the ITIM process,\nthe DEA has, in essence, established controls and oversight to ensure\nthat the boards\xe2\x80\x99 decisions are carried out. Because the investment\nboards have been in operation for only one cycle of the select phase,\nwe were unable to evaluate the boards\xe2\x80\x99 effectiveness.\n\nCritical Process #2: Identifying Business Needs for IT Projects\n\n      According to the ITIM Framework, an agency needs to develop a\nprocess to identify the business needs supported by the proposed IT\ninvestment. IT projects and systems should be closely aligned with\nthe business needs of the agency to support the highly visible core\nbusiness processes. To the extent that an agency has planning\ndocuments \xe2\x80\x93 such as a strategic plan or target architecture \xe2\x80\x93 these\ndocuments should be used as a source of agreed-upon business needs.\n\n      The identification of business needs is important to ensure that\nIT projects and systems support the agency\xe2\x80\x99s strategic plan objectives\nand business goals and objectives. In addition, the agency\xe2\x80\x99s\n\n                                - 45 -\n\x0cinvestment management process is strengthened and institutionalized\nby linking the agency\xe2\x80\x99s business objectives to its IT strategy and\nestablishing a partnership between the sponsoring unit and the\nprovider of the technology.\n\n      To ensure that business needs are identified for IT projects, the\nDEA implemented the following key practices in accordance with the\nITIM Framework:\n\n      \xe2\x80\xa2   documented policies and procedures for identifying IT\n          projects or systems that support the DEA\xe2\x80\x99s ongoing and\n          future business needs,\n\n      \xe2\x80\xa2   documented the business mission with stated agency goals\n          and objectives,\n\n      \xe2\x80\xa2   provided resources for the identification of IT projects and\n          systems,\n\n      \xe2\x80\xa2   defined and documented business needs for both proposed\n          and ongoing IT projects and systems,\n\n      \xe2\x80\xa2   identified specific users and other beneficiaries of IT projects\n          and systems,\n\n      \xe2\x80\xa2   ensured user participation in project management throughout\n          an IT project or system\xe2\x80\x99s life cycle, and\n\n      \xe2\x80\xa2   ensured that the investment boards periodically evaluated the\n          consistency of IT projects with the DEA\xe2\x80\x99s strategic goals and\n          objectives.\n\n       Policies and Procedures. The ITIM Framework states that an\nagency should have policies and procedures that outline a systematic\nprocess for identifying, classifying, and organizing its business needs\nand the IT projects that support these needs. In many cases, the\npolicies and procedures can be covered in the internal guidance used\nfor documenting the business case for a proposed IT investment.\n\n       In its Investment Guide, the DEA has documented its process for\nidentifying business needs for proposed IT investments. According to\nthe Guide, program managers submit proposals to the Business\nCouncil and the Executive Review Board for consideration. Each IT\nproposal must identify which business need is served by the proposed\nIT project. The proposal must also state tangible and measurable\n\n                                   - 46 -\n\x0cmission benefits. The DEA has standardized the presentation of an IT\nproposal to the Business Council by creating a template that must be\nused by program managers, and also has incorporated the\nidentification of the business needs that are to be supported by the IT\nproposal as one of the categories within the template.\n\n       Further, after the Business Council and the Executive Review\nBoard review the proposal and make a determination to pursue the\nproposal, the project manager prepares the OMB Exhibit 300. In\npreparing the Exhibit 300, the project manager must also identify the\nbusiness needs being met by the proposal. In standardizing the\nproposal presentation and in completing the Exhibit 300, the DEA has\nhelped ensure that the business needs for each IT proposal will be\nidentified.\n\n       Business Mission. According to the ITIM Framework, the\nbusiness mission, containing the agency\xe2\x80\x99s stated goals and objectives,\nis typically identified in the agency\xe2\x80\x99s Strategic Plan.\n\n       The DEA incorporated its general business mission\ninto the IT strategic plan, and according to that plan the DEA\xe2\x80\x99s IT\nmission is to strengthen the IT environment to meet future challenges\nfor drug enforcement, terrorism, and electronic government. To\naccomplish its IT mission, the DEA will modernize obsolete\ninfrastructure platforms, expand secure information sharing\ncapabilities, re-engineer business processes, and implement\nmanagement practices that better support IT management.\n\n       Identifying Business Needs. To demonstrate managerial\nattention to the process of ensuring that business needs are identified\nfor each project, the DEA has tasked the Office of Information Systems\nwith the responsibility to ensure that IT projects and systems identify\nthe organization\xe2\x80\x99s business needs. Each unit within the office has a\nmanager and is staffed to support its respective function. In addition,\nthe DEA hires contractors to help staff some of its units within the\noffice. Further, the office periodically updates an inventory of systems\nto identify current IT projects, which states the system acronym,\nname, and description. The office also maps each system to a specific\nfunction. The office and the Property Custodian Assistants maintain\nthe DEA\xe2\x80\x99s technical hardware inventory, which lists the component,\nhardware description, and software applications and licenses.\n\n     According to the DEA, the program managers are considered\nsponsors of IT investments because they are responsible for the\nsubmission of IT concept proposals to the Business Council. As\n\n                                 - 47 -\n\x0csponsors, each program manager ensures IT investment compatibility\nwith the general DEA IT mission.\n\n       The Management Group provides staff support to project\nmanagers during the concept proposal phase of an IT project.\nSpecifically, this assistance seeks to link the business objectives of\neach IT proposal with the business needs of the organization. To\nsupport the process as outlined in the Investment Guide, the\nManagement Group provides concept proposal and business plan\ntraining for program managers. The DEA also hosts Project\nManagement Institute seminars to train program managers on how to\nidentify business needs. Additionally, the DEA provides training in the\nRational Unified Process tool, which provides project guidance to\nprogram managers. The Rational Unified Process is a flexible software\ndevelopment process program that enables an agency to provide\nconsistent process guidance to a project management team. The DEA\nis using the Rational Unified Process in most organizational units\nto implement replicable and organized processes.\n\n      Documenting Business Needs. According to the ITIM\nFramework, each agency must ensure that its IT projects are directly\nor indirectly linked to at least one of the organization\xe2\x80\x99s business needs\nor mission goals. A direct link is of greater value than an indirect link.\nIdentifying the business purpose, defining an executive sponsor of\neach project, or obtaining confirmation from users that the project\nmeets their business needs can establish a direct link.\n\n      The business needs for both proposed and ongoing IT\ninvestments within the DEA are defined and documented in the\nOMB Exhibit 300 for each investment. The business plans submitted\nby the program managers contain goals for each project that map\nback to the goals listed in the DEA strategic plan.\n\n      The DEA Investment Guide states that the Business Council is to\nevaluate whether the proposal meets the agency\xe2\x80\x99s business needs.\nWe reviewed minutes from the Business Council\xe2\x80\x99s meetings and\ndetermined that the Business Council ranks proposals according to\nhow the proposal supports the business mission of the DEA. Even\nthough the business purpose for each project is determined as part of\nthe proposal phase of the project, ongoing investments undergo\nfurther evaluation during the annual budget process. The evaluation\nconsists of: 1) the program manager submitting monthly reports to\nthe Management Group for review and forwarding the reports to the\nappropriate boards for further review, and 2) the Business Council and\n\n\n                                  - 48 -\n\x0cthe Executive Review Board reviewing the monthly reports to\ndetermine if the investment still supports mission-related functions.\n\n       Specific User Identification. The ITIM Framework states that IT\nprojects may address the needs of multiple sets of end-users, who will\nbenefit from the system. The agency should formally identify the\nprimary end-users early on in the project. This process allows the IT\nstaff to develop IT projects or systems focusing on specific,\nwell-defined goals of delivering value to its end-users, who depend\ndirectly on the IT staff to produce systems that will help them\naccomplish their particular goals.\n\n       The DEA maintains a listing of all potential end-users for all IT\nprojects and systems. This listing is also a part of the DEA EA.\nAdditionally, during the \xe2\x80\x9cselect\xe2\x80\x9d component of the capital planning and\ninvestment control process (discussed in the Background section of\nthis report), end-users for each IT investment are identified in the\nBusiness Plan and the OMB Exhibit 300 for major IT investments.\n\n      End-users\xe2\x80\x99 Participation. The ITIM Framework points out that\nend-user involvement will vary during the different stages of a\nproject\xe2\x80\x99s system life-cycle. During the project\xe2\x80\x99s conception, end-users\nshould be heavily involved in developing the business case and in\ndefining how the system will help to meet needs or opportunities. The\nend-user should be heavily involved during user acceptance testing.\nHowever, during other phases of development, the end-user should\nplay a more limited role.\n\n        During the final phases of the system\xe2\x80\x99s life-cycle, especially the\noperational phase, the end-user should play a major role in helping to\nidentify and document any benefits that are realized from the system\xe2\x80\x99s\nimplementation. End-users are encouraged to participate in the\noperational analysis of the system, which should involve collecting\ninformation about the system\xe2\x80\x99s performance and comparing it with the\ninitial performance baseline.\n\n      During the control phase, each project follows the DEA\nSystem-Development Life Cycle. The DEA uses the System-\nDevelopment Life Cycle to ensure a uniform development process.\nDuring this phase, project managers prepare a Project Management\nPlan (PMP) for each IT investment. The PMP serves as an agreement\nbetween the end-user and the development team during the\nconstruction of the IT system. Specifically, PMPs outline:\n\n\n\n                                  - 49 -\n\x0c      \xe2\x80\xa2    the problem to be solved,\n\n      \xe2\x80\xa2    the proposed solution to the problem,\n\n      \xe2\x80\xa2    the integrated project team,\n\n      \xe2\x80\xa2    the project timeline, and\n\n      \xe2\x80\xa2    the expectations of both the development team and the\n           end-users of the project.\n\n       The PMP also includes a work breakdown structure that\nestablishes baseline deliverables and performance milestones.\nAdditionally, the PMP milestones require program managers to provide\ndocumentation on project activities to the end-users as the project\nprogresses through the System-Development Life Cycle. And the\nproject\xe2\x80\x99s complexity dictates the amount of System-Development Life\nCycle documentation required. The DEA utilizes the Rational Unified\nProcess to track the project through the System-Development Life\nCycle. The Rational Unified Process consists of four progress stages:\n1) inception, 2) elaboration, 3) construction, and 4) transition. The\nDEA self-assessment states that the DEA uses a Field Advisory Council\nto determine if the product met end-user requirements within the field\noffices.28 The Field Advisory Council gathers and provides information\nto the Office of Information Systems on the development and\ndeployment of technical infrastructure.\n\n      Investment Boards\xe2\x80\x99 Evaluation. During the investment boards\xe2\x80\x99\nevaluation, the boards assess the anticipated outcomes of a project or\nsystem, and its value in relation to defined expectations. The boards\nalso determine whether and how well the IT project or system is\nmeeting the agency\xe2\x80\x99s expectations. After deployment, the DEA\nmeasures the system\xe2\x80\x99s ability to continually meet a business or user\nneed.\n\n       Using historical data, system expectations, and other factors as\ncriteria, the investment boards evaluate each IT project to determine\nits value to the agency. The review cycle includes an evaluation of\nproject risks. Periodic evaluation of each IT project permits the\ninvestment boards to determine the ongoing value of each IT\ninvestment. These periodic evaluations are critical to determining\nwhether or not to continue funding the IT project.\n\n\n      28\n        The Field Advisory Council consists of designated agent representatives\nfrom domestic and international field offices.\n                                      - 50 -\n\x0c       If an investment is found to be inconsistent with the\norganization\xe2\x80\x99s strategic goals and objectives, immediate action must\nbe taken at the project level, with oversight provided by the\ninvestment boards, to realign the project or system. But even a\nsuccessful system will eventually begin to provide diminishing returns\nas it becomes more expensive to maintain. In addition, changing\nbusiness requirements also can make a system obsolete.\n\n      The evaluation phase of the DEA IT Process was not yet\noperational as of February 2004. Presently, the DEA is operating in\nthe select phase of the IT process. According to the DEA Investment\nGuide, the evaluation phase of the ITIM process will be concerned with\nensuring that each IT investment delivers expected results and mission\nbenefits. When the evaluation phase is implemented, program\nmanagers will submit monthly reports to the ITIM Management Group,\nwhich will collect and maintain this information in an ongoing IT\nportfolio. The Business Council and the Executive Review Board will\nevaluate the investments contained within IT portfolio.\n\n       The Management Group Chief told us that the Business Council\nhas initiated a review of current IT investments. The Chief added that\nindividual project managers, in conjunction with their supervisors,\nperform an evaluative role regarding IT investments. Individual\nproject managers have presented status reports about IT investments\nto the Business Council. Minutes of Business Council meetings showed\nthat the Business Council ranked each investment and made\nrecommendations to the Executive Review Board on project funding.\n\nCritical Process #3: Selecting an Investment\n\n      According to the ITIM Framework, review or \xe2\x80\x9creselection\xe2\x80\x9d of\nongoing projects is a very important part of this critical process. If an\nIT project is not meeting the goals and objectives that were\nestablished in the original selection, the investment boards must make\na decision on whether to continue to fund the project.\n\n      To satisfy this critical process, the DEA implemented the\nfollowing key practices:\n\n      \xe2\x80\xa2   documented policies and procedures for selecting new IT\n          proposals, reselecting ongoing IT investments, and\n          integrating funding with the process of selecting investments;\n\n      \xe2\x80\xa2   ensured that resources exist for identifying and selecting IT\n          projects and systems;\n\n                                  - 51 -\n\x0c      \xe2\x80\xa2   established criteria for analyzing, prioritizing, and selecting\n          new IT investment opportunities and reselecting IT\n          investments;\n\n      \xe2\x80\xa2   ensured that the above criteria reflect organizational\n          objectives;\n\n      \xe2\x80\xa2   ensured the use of the defined selection process, including\n          criteria to select new IT investments and reselecting ongoing\n          IT investments; and\n\n      \xe2\x80\xa2   ensured that executives\xe2\x80\x99 funding decisions are aligned with\n          selection decisions.\n\n      Policies and Procedures. According to the ITIM Framework, a\nstructured method provides the organization\xe2\x80\x99s investment boards,\nbusiness units, and IT developers with a common understanding of the\nprocess and cost, benefit, schedule, and risk criteria that will be used\nto select IT projects. Also, a documented selection process can help to\nensure consistency when an organization is considering multiple\ninvestments for funding. Transparency in the process can help to\ncreate an environment that is objective, fair, and rational. Thus,\npotential investments will be judged solely on the merits of their\ncontribution to the strategic goals of the organization without undue\ninfluence from outside the process.\n\n       The DEA has documented its IT investment selection criteria in\nthe Investment Guide. A program manager prepares a concept\nproposal for review by the ITIM Management Group, which validates\nthe concept proposal\xe2\x80\x99s format and provides a preliminary evaluation of\nthe technical and business feasibility of the proposal. The concept\nproposal is then forwarded to the Business Council, which provides an\nindependent review \xe2\x80\x94 in accordance with approved criteria \xe2\x80\x94 to\nensure compliance with the DEA EA and to prevent duplication with\nongoing development efforts. The criteria include evaluating risks,\ncosts, and mission benefits based on the DEA\xe2\x80\x99s IT Strategic Plan and\norganizational priorities, consistency with the DEA EA, and compliance\nwith security policy. The Business Council forwards its\nrecommendations to the Executive Review Board, which evaluates and\nprioritizes the proposals to be forwarded to the DEA Administrator for\napproval and inclusion in the annual budgeting process.\n\n     During the budgeting process, the program managers prepare\nand submit OMB Exhibits 300, which include a feasibility study, project\n\n                                   - 52 -\n\x0cplan, and preliminary budget estimate. Each Exhibit 300 is reviewed\nand evaluated by the ITIM Management Group, Business Council, and\nExecutive Review Board. The projects are compared and rated on a\ncolor scale of red, yellow, or green. Red-rated investments are not\naccepted. Yellow-rated investments have received a \xe2\x80\x9cconcerned\napproval\xe2\x80\x9d that may require additional information and close\nmonitoring. Green-rated investments signify approval.\n\n      The DEA ITIM Management Group forwards an approved\nportfolio of proposed investments to the Department\xe2\x80\x99s ITIM\nManagement Group. The Department\xe2\x80\x99s ITIM Management Group then\nconsolidates the portfolio with those from other Departmental\ncomponents and submits them to the Department\xe2\x80\x99s Senior\nManagement Council for decision, prior to forwarding the portfolio to\nOMB for review.\n\n      Further, the DEA uses the process described above to reselect\nongoing IT investments. As noted above, the DEA has integrated the\nfunding of investments into the selection process by allowing the\nselection process to occur simultaneously with the DEA annual budget\nprocess.\n\n      Adequate Resources. The ITIM Framework states that the\nresources for selecting IT projects typically involve:\n\n     \xe2\x80\xa2   managerial time and attention to the process, including\n         project sponsorship;\n\n     \xe2\x80\xa2   staff support, including a designated official to manage the\n         process; and\n\n     \xe2\x80\xa2   support tools, methods, and equipment for organizing and\n         analyzing IT proposals.\n\n      As the concept proposal author, a program manager becomes\nthe sponsor of the proposed investment. As the sponsor, the program\nmanager is responsible for ensuring IT investment compatibility with\nthe DEA IT Strategic Plan.\n\n      Regarding staff support of investments, the DEA has in place an\nITIM Management Group, which is responsible for designing,\nimplementing, and operating the DEA ITIM process, including the IT\ninvestment selection process. The ITIM Management Group manages\nthe process by: 1) validating IT proposal completeness, 2) monitoring\n\n\n                                 - 53 -\n\x0cindividual investment performance, and 3) supporting the Business\nCouncil and the Executive Review Board in evaluating the investments.\n\n      The DEA has described in its Investment Guide the tools,\nmethods, and equipment to be used for selecting IT projects. The DEA\nuses standardized templates for the submission of IT proposals to the\nBusiness Council for review. The Business Council and the Executive\nReview Board use approved criteria to evaluate the IT proposals. The\nproposals are organized according to the ranking received from the\nBusiness Council and the Executive Review Board.\n\n       Pre-determined Criteria. According to the ITIM Framework, any\ndecision-support process should be based on pre-determined criteria.\nIn order to maintain consistency, the criteria should include\nquantitative or qualitative measures for comparing projects, based on\nsuch things as investment size, length of the project, technical\ndifficulty, project risk, business impact, customer needs, cost-benefit\nanalysis, organizational impact, and expected improvement. The\nresults of the comparison help the investment boards analyze the\npotential risk and return on investment for a particular project and\nprioritize the portfolio using a scoring method that considers the\nstrengths and weaknesses of each project.\n\n      The DEA ITIM Management Group has developed a scoring\nworksheet for use by the Business Council in evaluating each IT\ninvestment proposal based on relative factors. These factors include:\n1) project management, including performance goals, risk\nmanagement, security, and project planning and spending; 2) mission\nsupport and impact; and 3) appropriateness of funding. Program\nmanagers make presentations to the Business Council about the\nrespective IT investments. During the presentation, the Business\nCouncil members complete scoring worksheets. The scoring\nworksheets are then combined, and the investments are prioritized\nbased on the combined score that each investment received. The\nBusiness Council\xe2\x80\x99s scoring results are reported to the Executive Review\nBoard, which makes the final investment decision. The DEA also uses\nthe above criteria to reselect ongoing IT investments for continued\nfunding.\n\n       Organizational Objectives. The ITIM Framework states that\nduring project selection, decision-makers use various criteria to help\nassess a system\xe2\x80\x99s projected outcomes, resource allocations\n(e.g., people, funding, and tools), and benefits and costs. As\norganizational goals and objectives change and the criteria for\nselecting projects change with them, decision-makers need to have a\n\n                                 - 54 -\n\x0cmanagement structure and tools in place to help reassess their\ndecision criteria and the impact of those criteria on decisions, results,\nand outcomes.\n\n       The DEA\xe2\x80\x99s ITIM Management Group is responsible for developing\nand maintaining the agency\xe2\x80\x99s IT Strategic Plan, which is updated\nannually. In addition, the ITIM Management Group develops the\nscoring worksheet used by the Business Council to prioritize the IT\ninvestments. According to the DEA self-assessment, the ITIM\nManagement Group updates the scoring worksheet each year to reflect\nany changes in the IT Strategic Plan. This is necessary because one\ncriterion for prioritizing an IT investment is whether or not the\ninvestment supports the DEA\xe2\x80\x99s mission and goals.\n\n      Selection Process. An organization must not only have a project\nselection process documented but must also use the process. The\nITIM Framework states that the selection process should occur within\nthe context of the organization\xe2\x80\x99s cyclical budgeting process. A\ndesignated official should manage the data submission and the\nscreening activities associated with the selection process.\n\n      The DEA has completed one selection cycle of the ITIM process\nand as of March 2004 was in the process of completing the second\ncycle for the FY 2006 budget year. We reviewed the minutes of the\nBusiness Council to determine if the DEA was actually using its\nprescribed selection process. According to the minutes, the program\nmanagers made presentations to the Business Council, which were\nranked and prioritized based on how the projects met mission goals\nand objectives. The Business Council\xe2\x80\x99s decision was forwarded to the\nExecutive Review Board for further evaluation and a funding\nrecommendation.\n\n       Funding Decisions vs. Selection Decisions. According to the ITIM\nFramework, an organization\xe2\x80\x99s executives have discretion in making the\nfinal funding decisions on IT proposals. However, their decisions\nshould be based on the analysis that has taken place during the\nselection process. Additionally, there should be evidence that some\nproposals are judged less meritorious than others and thus do not get\nfunded as part of the decision-making process.\n\n      As stated earlier, the Business Council prioritizes the IT\ninvestment proposals based on its review and evaluation of each\nproposal. The Business Council recommendations are then sent to the\nExecutive Review Board for further evaluation and recommendation to\nthe DEA Administrator for funding. In a memorandum dated\n\n                                  - 55 -\n\x0cMay 23, 2002, the DEA Administrator stated that all funding for DEA IT\ninvestments would be based on the Executive Review Board\xe2\x80\x99s\ndecisions.\n\n      Conclusion. The DEA has completed the steps necessary to\nestablish an IT investment selection process. The DEA has:\n1) defined a method for selecting new IT projects and to reselect\nongoing IT investments for funding, 2) documented a project selection\nprocess and is using it, and 3) laid the foundation to implement the\nmature critical processes for making IT proposals and selecting\nprojects as described in Stage 3 of the ITIM Framework.\n\nCritical Process #4: Providing Investment Oversight\n\n      The purpose of this critical process is to ensure that an\norganization provides effective oversight for its IT projects throughout\nall phases of a project\xe2\x80\x99s life cycle. While the investment boards should\nnot micromanage each project, they should maintain adequate\noversight and observe each project\xe2\x80\x99s performance and progress toward\ndefined cost and schedule expectations. The investment boards\nshould expect that each project development team will be responsible\nfor meeting project milestones within the expected cost parameters\nthat have been established by the project\xe2\x80\x99s business case and\ncost-benefit analysis.\n\n      To satisfy this critical process, the DEA must implement these\nkey practices:\n\n      \xe2\x80\xa2   document policies and procedures for oversight of IT projects\n          and systems,\n\n      \xe2\x80\xa2   provide resources for managing IT projects,\n\n      \xe2\x80\xa2   ensure that project management plans are kept for IT\n          projects and systems,\n\n      \xe2\x80\xa2   provide actual performance data to the appropriate IT\n          investment boards, and\n\n      \xe2\x80\xa2   conduct performance reviews of IT projects and systems.\n\nThe DEA has implemented all five key practices.\n\n     Policies and Procedures. According to the ITIM Framework, an\norganization should establish policies and procedures for management\n\n                                 - 56 -\n\x0coversight of IT projects. The policies and procedures should specify:\n1) the criteria to be used by the investment boards when evaluating\nproject performance, and 2) that corrective action be taken when the\nproject deviates or varies significantly from the project management\nplan.\n\n      The DEA has documented procedures specifically covering\nsoftware project tracking and oversight. These procedures were\ndeveloped as part of the Capability Maturity Model (CMM) process\nimprovement initiative.29 The procedures cover internal reviews by\nproject managers, formal project management reviews,\ncommunication of commitments and changes to commitments, and\nsenior management review of commitments and changes to\ncommitments. The procedures are executed at the project level and\noperate within the ITIM process. They describe the roles of the project\nmanager, development team, line management, and senior\nmanagement within each process.\n\n      Project managers review the status of software projects with\nsupervisors and customers to identify and resolve issues associated\nwith the project. Project risks are identified for major IT investments\nand documented in OMB Exhibit 300. The Business Council and the\nExecutive Review Board manage by exception and review only those\nprojects that exhibit a 10-percent or greater cost or schedule variance\nas explained in OMB Circular A-11. The DEA coordinates application\ndevelopment projects and infrastructure projects to ensure that the\ninfrastructure can support the development of new applications.\n\n      The DEA Investment Guide states that along with certain\ncheckpoints in the System-Development Life Cycle, investments in the\ncontrol phase are subject to periodic progress reviews to assess cost\nmanagement, schedule variances, and realization of planned benefits.\nThe scope and frequency of these reviews should be determined by\nthe projects\xe2\x80\x99 cost, risk, and complexity. The information used for\nthese reviews, such as expenditures and work completed, is collected\nmonthly from the project manager.\n\n       Adequate Resources. The ITIM Framework states that an\norganization should provide the resources needed to oversee its IT\nprojects and systems. These resources should include managers and\nstaff who are assigned specific responsibilities for monitoring, and\n\n       29\n           The Capability Maturity Model is an improvement framework used by an\norganization to judge the maturity of its software development processes. It also\nidentifies the key practices required to help organizations increase the maturity of\nthese processes.\n                                        - 57 -\n\x0ctools \xe2\x80\x93 such as project summary reports on schedule and cost \xe2\x80\x93 to\nsupport the investment boards\xe2\x80\x99 oversight operations.\n\n      The Management Group facilitates the ITIM process. The\nManagement Group is staffed with a combination of government and\ncontractor personnel providing the expertise necessary to ensure that\ninvestment boards are provided with sufficient information for\nexecutive level oversight. The Management Group prepares\npresentation templates for project managers, assists project managers\nin preparing materials for the ITIM boards, develops evaluation forms\nfor the boards\xe2\x80\x99 members, prepares boards\xe2\x80\x99 minutes, and follows up on\nboards\xe2\x80\x99 action items.\n\n       In addition, the Management Group coordinates with the Quality\nManagement Unit on evaluation tools for earned-value and project\nreporting metrics.30 The information generated from these evaluation\ntools is included in a status report for the ITIM boards\xe2\x80\x99 oversight\nactivities. The DEA is also using Microsoft Project to present the\nstandard work breakdown for each project. As the project plans are\nupdated with actual completion dates and costs, this information is\nincluded in the earned-value management tool. The Quality\nManagement Unit also captures other project-performance metrics,\nand reports the data to the ITIM Management Group for use with the\ninvestment boards\xe2\x80\x99 oversight processes.\n\n       Project Management Plans. The ITIM Framework states that\neach IT project management team should create and maintain a PMP\nfor the project or system for which it is responsible. The PMP\ndocuments a variety of project decisions, assumptions, and\nexpectations including project performance. Expectations could\ninclude a cost-and-schedule baseline-control system \xe2\x80\x93 such as the\nearned-value management system \xe2\x80\x93 milestone-based accomplishment\nexpectations, or another control system depending on the project\xe2\x80\x99s\nsize, importance, cost, and risk.\n\n      The DEA has required each project to have a PMP that\ndocuments the purpose, scope, and background of the project; the\nproject organization; and the management and technical approach.\nThe PMP also contains the project schedule and funding information. A\nnumber of supplemental exhibits are included with the PMP, such as\nproject-sizing and documentation requirements, project\nquestionnaires, staff roles and responsibilities, the work-breakdown\nschedule, primary points of contacts, and a system-risk matrix.\n\n      30\n         Earned-value is a management technique that measures the amount of\nplanned work completed in relation to the funds expended.\n                                    - 58 -\n\x0c      Major IT investment plans are also summarized and reported in\nthe Exhibit 300. The Exhibit 300 captures cost, schedule, and\nperformance data along with earned-value, project assumptions, and\nrisks. Further, the DEA Investment Guide states that after a project\xe2\x80\x99s\nconcept proposal is approved, a business case must be developed for\nfurther consideration. A business case consists of a project plan,\nfeasibility study, cost-benefit analysis, and concept of operations.\nThese documents are all part of the PMP.\n\n       Actual Performance Data. For an organization to establish\ncontrol of projects in Stage 2 of the ITIM Management Framework, it is\nessential that all performance data, including cost, schedule, benefits,\nrisks, and system functionality for each IT project, are collected and\ndisseminated to the appropriate IT investment boards. In addition, to\nmonitor the long-term value of a project or system, the organization\nneeds to collect and distribute this information to the appropriate IT\ninvestment boards during agreed-upon stages of the project\xe2\x80\x99s life\ncycle.\n\n       Currently, the DEA uses its project managers to collect and\ndistribute cost and schedule data for individual projects. This\ninformation is provided to the investment boards through\npresentations at board meetings. Additionally, the project\nperformance data is also captured in the Exhibit 300. The DEA is in\nthe process of assessing earned-value management tools, one of\nwhich is to be selected and implemented during FY 2004. When\nimplemented, the earned-value tool will provide additional project\nmetrics that will be reported to the ITIM boards by the ITIM\nManagement Group.\n\n      Performance Reviews. The ITIM Framework states that\ninvestment boards should oversee the performance of IT projects by\nconducting reviews at predetermined checkpoints or major milestones\nin order to compare actual project costs and schedules with the\nproposal.\n\n      During the control phase of the ITIM process, investments are to\nbe subject to periodic progress reviews to assess cost management,\nschedule variance, and realization of planned benefits. Based on the\ninformation collected during these reviews, the ITIM Management\nGroup is to determine which projects are at risk, and then follows up\non those projects to identify the problem and the solution.\n\n     DEA investment boards activities are evolving and will include\nmore activities during the control phase in 2004. We reviewed the\n\n                                 - 59 -\n\x0cminutes of Business Council meetings in December 2003 and found\nthat during the presentations for each project, program managers\ninformed the Business Council of the status of their respective\nprojects. As stated earlier, the investment boards conduct oversight\nresponsibilities by exception, focusing on investments that show a\n10-percent or greater variance in cost or schedule. The ITIM\nManagement Group, in conjunction with the Quality Management Unit,\ncollects and validates the information provided by project managers\nand presents the data to the investment boards for review.\n\nCritical Process #5: Capturing Investment Information\n\n      During this critical process the organization identifies its IT\nassets and creates a comprehensive repository of investment\ninformation. This repository is used to track the organization\xe2\x80\x99s IT\nresources. For an organization to make good IT investment decisions,\nit must be able to acquire pertinent information about each investment\nand store that information in a retrievable format, to be used in\nmaking future investment decisions.\n\n      To complete this critical process, the DEA implemented three key\npractices:\n\n     \xe2\x80\xa2   identified and collected specific information on IT projects and\n         systems to support decisions about them,\n\n     \xe2\x80\xa2   ensured that information collected is accessible and\n         understandable to decision-makers, and\n\n     \xe2\x80\xa2   provided a repository to be used by investment decision\n         makers to support investment management.\n\n      Information Collection. The ITIM Framework suggests that a\nstandard, documented procedure be used to ensure that developing\nand maintaining information on projects and systems is replicable and\nproduces IT data that is timely, sufficient, complete, and comparable.\nThe information may be prepared by the information systems support\ncomponent of the organization and verified and validated by a\ndesignated official or another organizational unit.\n\n      The DEA Office of Information Systems inventories and accounts\nfor the assets comprising the physical infrastructure, which includes\nworkstations, servers, printers, storage devices, and\ntelecommunication devices. The information collected includes the\ntype of equipment and a unique identifier for the equipment, usually a\n\n                                 - 60 -\n\x0cbarcode, acquisition date, deployment date, and location. The DEA\nsimilarly maintains a software inventory. These two inventories\nbecame the foundation of two of the four EA components. The\nphysical infrastructure is documented in the Application Architecture,\nand the software inventory is documented in the Technical\nArchitecture. In addition, the DEA\xe2\x80\x99s OMB Exhibit 53, IT Investment\nPortfolio, shows the prior-year, current-year, and budget-year costs\nfor developing and maintaining IT projects. 31\n\n      According to the DEA self-assessment, the physical inventory\nand the financial data collected on IT projects are used not only for the\nmanagement of the assets but also in the project planning process.\nFor example, the information collected about the physical\ninfrastructure deployed to each DEA field division is necessary to\ndetermine when and where the deployment of a new application will\ntake place, especially if the new application requires an updated\nphysical infrastructure. Business Council minutes documented that the\nCouncil uses information collected about the IT projects and systems\nto make decisions on whether to select, continue, or terminate a\nproject.\n\n       Information Accessibility. According to the ITIM Framework, a\nrepository of information about the IT investments is of value only to\nthe extent that decision-makers and stakeholders use the information.\nKnowledge of the information contained in the repository by staff and\nmanagers throughout the organization can help to avoid duplication of\neffort and facilitate the reconciling of overlapping resources. For\nexample, a report generated from the information contained in the\nrepository can be used to better manage the licensing of an\norganization\xe2\x80\x99s application software by showing individually licensed\napplications that may be candidates for group licensing.\n\n      The DEA makes the IT system and project inventories available\nto the investment boards as necessary to allow the boards to view\nproposed investments in the context of similar initiatives. The\ninventory of systems is also submitted to the Department\xe2\x80\x99s CIO as\npart of the IT budget formulation process. The inventory then\nbecomes the basis for reporting the DEA IT portfolio on\nOMB Exhibit 53.\n\n      As stated earlier, the inventory and financial data for the IT\nprojects are provided to the Business Council for its review and for\n\n       31\n         OMB Exhibit 53 is a listing of an agency\xe2\x80\x99s entire IT investment portfolio. An\nagency is required to submit an Exhibit 53 to OMB if the agency\xe2\x80\x99s financial\nmanagement budget is $500,000 or more in any given year.\n                                       - 61 -\n\x0cmaking funding recommendations to the Executive Review Board. The\nBusiness Council then provides the funding recommendations, along\nwith supporting documentation, to the Executive Review Board, which\nreviews and makes decisions about the DEA\xe2\x80\x99s IT portfolio.\n\n      Maintaining the Information Repository. According to the ITIM\nFramework, informed investment decisions require up-to-date\ninformation. Maintaining the integrity of the information repository is\nimportant to ensure that the repository remains a useful\ndecision-making tool. As projects and systems change through\nadditions, updates, or deletions, the status of the projects and systems\nshould be documented in the repository. An individual or\norganizational unit should be designated to maintain the repository.\n\n       According to the DEA\xe2\x80\x99s self-assessment, the IT inventory\nmaintained as part of the DEA EA is crucial to future investment\ndecisions. The knowledge of current assets \xe2\x80\x93 including capabilities,\nlimitations, and expected lifespan \xe2\x80\x93 is an important part of any\ndecision that affects the DEA investment portfolio. The ITIM\nManagement Group is responsible for periodically updating the\ninventory based on DEA decisions about the agency\xe2\x80\x99s infrastructure\nand software configuration.\n\n      Our review of the DEA PMP determined that the DEA includes a\nchange-control page to track all changes made to the project. We also\nfound that the DEA Investment Guide requires that during the control\nphase, investments are subject to periodic progress reviews to assess\ncost management, schedule variance, and the realization of planned\nbenefits.\n\n      ITIM Stage 2 Summary\n\n      The DEA has completed the ITIM Framework\xe2\x80\x99s critical processes\nnecessary to build an IT investment foundation. The critical processes\ninclude: 1) establishment of investment boards, 2) identification of\nbusiness needs for IT projects, 3) IT investment selection, 4) IT\nproject oversight, and 5) IT system and project identification and\ntracking.\n\nStage 3 Not Yet Completed\n\n      Stage 3 of the ITIM Framework focuses on the investment\nboards\xe2\x80\x99 enhancement of the ITIM process by developing a complete\ninvestment portfolio. According to the ITIM Framework, having a\nportfolio perspective enables an organization to consider its\n\n                                 - 62 -\n\x0cinvestments in a comprehensive manner. The portfolio perspective to\nIT investing is important in that it allows the investment boards to\nselect investments that address not only the strategic goals,\nobjectives, and mission of the organization, but also the effect that\nprojects have on each other. To develop an IT investment portfolio,\nan organization combines all its IT assets, resources, and investments\n\xe2\x80\x94 considering new proposals along with previously funded investments\n\xe2\x80\x94 and identifying the appropriate mix of IT investments that best\nmeets its mission, organizational, and technology needs, and priorities\nfor improvements.\n\n       Stage 3 maturity requires the accomplishment of four critical\nprocesses; the DEA has not yet completed them. To attain Stage 3\nmaturity, the DEA needs to implement 27 key practices within the 4\ncritical processes. We found that as of February 2004, the DEA had\ncompleted 9 of the 27 key practices. However, the DEA has not\ncompleted all the key practices within any of the critical processes.\n\nCritical Process #1: Defining the Portfolio Criteria\n\n      According to the ITIM Framework, portfolio selection criteria are\na necessary part of an IT investment management process.\nDeveloping an IT investment portfolio involves defining appropriate IT\ninvestment cost, benefit, schedule, and risk criteria to ensure that the\norganization\xe2\x80\x99s strategic goals, objectives, and mission will be satisfied\nby the selected investments. Portfolio selection criteria reflect the\nstrategic and enterprise-wide focus of the organization and build on\nthe criteria that are used to select individual IT projects. The ITIM\nFramework states that IT projects are sometimes selected on the basis\nof an isolated business need, the type and availability of funds, or the\nreceptivity of management to a project proposal. The portfolio\nselection criteria should be applied as uniformly as possible throughout\nthe organization to ensure that decision-making is consistent and the\nprocesses become institutionalized. When an organization\xe2\x80\x99s mission or\nbusiness needs and strategies change, the criteria should be\nre-examined.\n\n      To ensure that the IT investment portfolio criteria are defined,\nthe DEA implemented the following key practices in accordance with\nthe ITIM Framework:\n\n     \xe2\x80\xa2   documents policies and procedures for creating and modifying\n         IT portfolio selection criteria;\n\n\n\n                                  - 63 -\n\x0c     \xe2\x80\xa2   assigns responsibility managing the development and\n         modification of the IT portfolio selection criteria;\n\n     \xe2\x80\xa2   ensures that the investment board approved the IT portfolio\n         selection criteria based on the organization\xe2\x80\x99s mission, goals,\n         strategies, and priorities;\n\n     \xe2\x80\xa2   ensures that project managers and other stakeholders are\n         aware of the portfolio selection criteria; and\n\n     \xe2\x80\xa2   ensures that the investment board reviewed the IT portfolio\n         selection criteria and modified the criteria as appropriate.\n\n      Policies and Procedures. The DEA uses DOJ Order 2880.1A and\nOMB Circular A-11 as the criteria for its IT portfolio selection. The\nOrder and the Circular emphasize project performance and value\nadded to the agency. DOJ Order 2880.1A provides criteria for\nselecting major IT investments and defines a major investment as any\none that the Department\xe2\x80\x99s CIO determines requires special\nmanagement attention because of its importance to an agency\nmission, political sensitivity, and high development and maintenance\ncosts, regardless of whether such work is performed by government\nemployees or contracted out. According to the Department\xe2\x80\x99s CIO, for\nan investment to be considered a major IT investment it must meet\none of the following criteria:\n\n     \xe2\x80\xa2   annual cost greater than $10 million, or total life-cycle cost\n         greater than $50 million;\n\n     \xe2\x80\xa2   any financial information system with an annual cost greater\n         than $500,000;\n\n     \xe2\x80\xa2   any investment that is mandated for department-wide use;\n\n     \xe2\x80\xa2   any investment that affects multiple Department of Justice\n         organizational components;\n\n     \xe2\x80\xa2   any investment required by law or designated by Congress as\n         a budget \xe2\x80\x9cline item\xe2\x80\x9d; or\n\n     \xe2\x80\xa2   any high-risk or politically sensitive investment, as\n         determined by the Department\xe2\x80\x99s CIO.\n\n      OMB Circular A-11, Section 300, defines a major investment as\none of the following: a system or investment that requires special\n\n                                  - 64 -\n\x0cmanagement attention because of its importance to an agency\xe2\x80\x99s\nmission, an investment that is directly linked to the top two layers of\nthe Federal Enterprise Architecture (Services to Citizens and Mode of\nDelivery), or an investment that is an integral part of an agency\xe2\x80\x99s EA.\nAll major investments are reported on Exhibit 53, which becomes one\nsource, along with the EA and physical infrastructure, for the agency\xe2\x80\x99s\ninvestment portfolio. The use of DOJ Order 2880.1A and\nOMB Circular A-11 meet the ITIM Framework requirements for a\nportfolio selection criteria.\n\n      Criteria Development Responsibility. The ITIM Framework states\nthat an individual or working group should be assigned the\nresponsibility of developing IT portfolio selection criteria and for\nmodifying the criteria as necessary. Individuals who are assigned the\ntask of developing and modifying the criteria should have a working\nknowledge of investment management. Developing the right criteria\nwith which to analyze a portfolio of projects is a critical component of\nmaking sound investment decisions.\n\n       The DEA ITIM Management Group is responsible for interpreting\nthe above-mentioned criteria and facilitating the application of it. The\ncriteria are documented in the DEA Investment Guide and incorporated\nin the scoring sheets used by the Business Council to rank the\nproposed investments. The DEA is ensuring that the Business Council\nuses the correct criteria for selecting portfolio investments by\nincorporating the criteria into the scoring sheets.\n\n      Portfolio Selection Criteria. According to the ITIM Framework,\nthe criteria for selecting portfolio investments should be linked directly\nto the organization\xe2\x80\x99s broader mission, goals, strategies, and priorities.\nThis ensures that the selected IT investments will support the larger\norganizational purposes. The Framework points out that the criteria\nshould also take into account the organization\xe2\x80\x99s EA to: 1) avoid\nunwarranted overlap across investments, 2) ensure maximum system\ninteroperability, and 3) increase the assurance that investments are\nconsistent with the IT strategy as captured in the EA.\n\n       The selection criteria used for assessing and ranking individual\ninvestments and proposals should generally include four essential\ninvestment elements: cost, benefit, schedule, and risk. The\nassessment may also include other criteria to aid in evaluating\nrelationships among investments. Organizations typically focus on\nthese four elements and develop multiple measures under each broad\nelement.\n\n\n                                  - 65 -\n\x0c      As stated earlier, the DEA uses DOJ Order 2880.1A and\nOMB Circular A-11, Section 300, as criteria for selecting portfolio\ninvestments. In addition, the DEA has established investment\nselection criteria within the DEA Investment Guide, which defines the\ncore selection criteria that are based on DEA missions, goals,\nstrategies, and priorities. The charters of the Executive Review Board\nand the Business Council reiterate these core criteria. The Executive\nReview Board\xe2\x80\x99s charter also grants authority to the Executive Review\nBoard to approve changes to the DEA\xe2\x80\x99s ITIM process.\n\n       The Executive Review Board evaluates funding proposals based\non uniform criteria to ensure that all investments meet at least\nminimum requirements. These criteria include evaluating risk, cost,\nand mission benefits. As stated previously in the Stage 2 section of\nthis finding, the projects are compared against each other in a\nportfolio setting and rated on a color scale.\n\n       The Business Council\xe2\x80\x99s scoring sheet includes the following\ncriteria for evaluating projects: performance goals, risk management,\nsecurity, project planning and spending, mission support and impact,\nand cost. The scoring sheet covers the selection criteria elements as\noutlined in the ITIM Framework and the DEA Investment Guide. The\nDEA first used this scoring sheet to rank proposed IT investments in\n2003 as part of the FY 2005 budget formulation process.\n\n      Selection Criteria Awareness. The ITIM Framework states that\nthe criteria for selecting portfolio investments should be disseminated\nto each IT investment board and IT project managers, organizational\nplanners, and any other interested parties. The selection criteria\nshould be clearly addressed in funding submissions for IT projects.\n\n      The DEA program managers use a standardized template to\ncomplete the investment proposals. The selection criteria are\nembedded within the template to ensure that the program managers\nare not only aware of the criteria but also address them. Again, the\nBusiness Council\xe2\x80\x99s scoring worksheet used to rank all investments also\ncontains the selection criteria. The Exhibit 300 prepared by the\nprogram managers also includes financial data, security, agency\nmission and strategic goals, and risk assessments.\n\n      Our review of the minutes of a December 2003 Business Council\nmeeting showed that all 19 IT investment proposals were presented\nusing the standardized template. For the FY 2005 budgetary process,\nthe DEA prepared 15 Exhibits 300 for new and ongoing IT\ninvestments. Because the project managers used the standardized\n\n                                 - 66 -\n\x0ctemplate to submit project proposals, and the investment boards used\nboth the Exhibits 300 and the scoring sheet to rank projects, we\nconclude that both project management personnel and the investment\nboards are aware of the portfolio selection criteria.\n\n       Selection Criteria Review. The criteria for selecting IT\ninvestments may be changed based on: 1) historical experience;\n2) changes in the organization\xe2\x80\x99s strategic direction, business goals, or\npriorities; or 3) other factors, such as increased IT management\ncapabilities or technological changes. Ultimately, however, the task of\nmodifying the criteria will be based on the experience and judgment of\nthe enterprise-wide investment boards.\n\n       According to the DEA self-assessment, the DEA Business Council\nuses its experience to rank investments within the framework of the\nportfolio selection criteria summarized in the scoring worksheet. The\nExecutive Review Board has the authority to recommend and approve\nchanges to the ITIM process, which includes the portfolio selection\ncriteria. The Business Council has been in operation for only one\nbudget cycle, and there have been no modifications to the criteria.\nThe Chief of the ITIM Management Group told us that the DEA would\nbegin implementing the control phase of the ITIM process in 2004.\n\nCritical Process #2: Creating the Portfolio\n\n      The development of the IT investment portfolio is an ongoing\nprocess that includes decision-making, prioritization, review,\nrealignment, and reprioritization of projects that are competing for\nresources and funding. The process for creating the portfolios should\nensure that each IT investment board manages investments according\nto an organizational, strategic-planning perspective. The boards\nshould collectively analyze and compare all investments and proposals\nto select those that best fit with the strategic business direction,\nneeds, and priorities of the entire organization.\n\n      To implement the critical process of creating an IT investment\nportfolio, the DEA must establish six key practices. The DEA has\ncompleted two of the six key practices:\n\n      \xe2\x80\xa2   established policies and procedures for analyzing, selecting,\n          and maintaining the investment portfolio; and\n\n      \xe2\x80\xa2   ensured that boards\xe2\x80\x99 members are knowledgeable about the\n          process of creating a portfolio.\n\n\n                                  - 67 -\n\x0c       Policies, Procedures, and Processes. According to the ITIM\nFramework, each IT investment board should have policies and\nprocedures in place to help it select the most promising proposals and\nto ensure that the most feasible investments are considered. These\npolicies should include specific screening criteria to help identify and\nexpedite the selections.\n\n       The DEA has documented the processes for selecting an\ninvestment portfolio in its DEA Investment Guide, which provides\npolicies and procedures that supplement and support guidance from\nDOJ Order 2880.1A and OMB Circular A-11 regarding investment\nanalysis. The Investment Guide contains detailed processes for\nanalyzing, selecting and maintaining the investment portfolio. In\naddition, the DEA requires program managers to develop an Exhibit\n300, as explained in OMB Circular A-11, for all projects to be\nsubmitted for final funding approval. The Exhibit 300 includes a\ndescription of the project and a justification describing the costs,\nproject management, schedule, and risks.\n\n      Board Members\xe2\x80\x99 Knowledge. As stated previously, the DEA\nincluded the criteria within a scoring sheet format to be used by the\nBusiness Council in reviewing and selecting portfolio investments. In\ndoing this, the DEA has ensured that the investment board is\nknowledgeable of the criteria to be used in selecting portfolio\ninvestments.\n\n      Uncompleted Key Practices. The DEA is working on, but has not\nyet implemented, the following four key practices:\n\n      \xe2\x80\xa2   ensures that the investment boards are provided with\n          information comparing actual project and system\n          performance to expected performance;\n\n      \xe2\x80\xa2   ensures that the IT investment boards examine the mix of\n          new and ongoing investments and selects investments for\n          funding;\n\n      \xe2\x80\xa2   ensures that each investment board approves or modifies\n          performance expectations for its selected IT investments; and\n\n      \xe2\x80\xa2   ensures that information used to select, control, and evaluate\n          the portfolio is captured and maintained for future reference.\n\n      As stated before, the DEA has detailed procedures for selecting,\ncontrolling, and evaluating portfolio investments. Through our review\n\n                                  - 68 -\n\x0cof the supporting documentation given to us by the DEA and minutes\nof the Business Council\xe2\x80\x99s meetings, we conclude that the DEA is\noperating according to the procedures outlined for the selection of\ninvestments. However, because the Business Council has only been in\noperation for one budgetary cycle, we were unable to determine if the\n\xe2\x80\x9ccontrol\xe2\x80\x9d and \xe2\x80\x9cevaluate\xe2\x80\x9d procedures have been implemented. The\nChief of the Strategic Business and Analysis Management Group told\nus that the DEA would implement the control phase of the ITIM\nprocess during 2004.\n\n      We also found that the DEA has taken steps to ensure that\ninformation used to select, control, and evaluate the portfolio is\ncaptured and maintained for future reference. The DEA maintains the\nminutes and action items from investment board meetings\nelectronically for retrieval at a later date. The DEA also uses an\nInformation Technology Investment Portfolio System (ITIPS), which\ntracks the planning, acquisition, and operations of Automated\nInformation Systems and IT investments. The ITIPS also complies\nwith federal requirements such as the Government Performance and\nResults Act, the Paperwork Reduction Act, and the Clinger-Cohen Act.\nAccording to the DEA self-assessment, the DEA is assessing other tools\nto better capture the required information about IT investments.\n\n       The DEA\xe2\x80\x99s ability to effectively capture investment information\non past and present IT decisions can translate into better decisions on\nIT investments during control phase activities, as well as during the\nevaluation and selection processes. As stated previously, without an\neffective system to capture IT investment information, the DEA may\nbase IT decisions more on judgment, intuition, and partial data than\non objective, systematic, IT-related information that is routinely\ncollected and analyzed. The ITIM Framework states that IT\ninformation systems that deliver information that is up-to-date,\nencompassing, and presented in a useful format will enhance the\ndecision process.\n\nCritical Processes #3 and #4: Evaluating the Portfolio and\n       Conducting Post Implementation Reviews\n\n      The two remaining critical processes within Stage 3 of the ITIM\nFramework involve evaluating the investment portfolio and performing\npost-implementation reviews on it. The DEA had not yet completed\nthose critical processes as of February 2004.\n\n      As stated previously, the DEA has procedures in place for\nevaluating investments within the portfolio. However, no work has\n                                 - 69 -\n\x0cbeen done to evaluate those investments. Although the DEA\xe2\x80\x99s ITIM\nprocess has been in operation for two fiscal years and one budgetary\ncycle, the agency has not yet advanced into the evaluation phase of\nthe ITIM Framework. The DEA self-assessment stated that the DEA is\nbeginning to implement a 10-percent threshold for cost and schedule\nvariance to guide in evaluating IT portfolio performance.\n\n      To streamline the Business Council and the Executive Review\nBoard\xe2\x80\x99s access to current information on the status of DEA IT\ninvestments, the DEA is working to implement the DOJ/CIO Dashboard\nto provide information on the status of IT projects.32 Once\nimplemented, the Business Council, the Executive Review Board, and\nproject managers may use the Dashboard to gain a quick reference to\ndetermine the cost, schedule, and risks for investments contained in\nthe DEA IT portfolio.\n\n      In addition, the DEA has not provided formal training for\ninvestment boards members to ensure that boards\xe2\x80\x99 members are\nfamiliar with portfolio evaluation and improvement procedures. As\nstated previously, at the beginning of the meeting the DEA ITIM\nManagement Group outlines for the Business Council the process to be\nused for IT investment review. In our judgment, a formal training\nsession would enable the investment boards to become more familiar\nwith the ranking categories and to understand what each category\nentails and how each category is important to the evaluation of each\nIT investment.\n\n      ITIM Stage 3 Summary\n\n       The DEA has completed 9 of 27 key practices necessary to attain\nStage 3 maturity of the ITIM Framework. The agency has defined the\npolicies and procedures to be used in the portfolio selection process,\nestablished responsibility for criteria development, and has made the\ninvestment boards aware of the established criteria. However, the\nDEA has not yet: 1) obtained and utilized a system to effectively\ncapture investment information for projects, or 2) provided training to\ninvestment boards members on the evaluation criteria for IT\ninvestments.\n\n\n\n\n      32\n           The DOJ/CIO Dashboard is a Department database that provides the\nDepartment\xe2\x80\x99s CIO, component CIOs, and project managers with current status\ninformation on major and other highly visible IT systems in the Department\xe2\x80\x99s\nportfolio.\n                                     - 70 -\n\x0cAttaining Stage 4 Maturity\n\n       According to the ITIM Framework, the primary focus of Stage 4\nis to improve the overall performance of an agency\xe2\x80\x99s IT portfolio. To\nattain the Stage 4 level of maturity, an agency must implement two\ncritical processes: 1) evaluate the performance of the portfolio and use\nthe information gained from the evaluation to improve both current IT\ninvestment processes and the future performance of the investment\nportfolio, and 2) manage the succession of information systems by\nreplacing low-value systems with higher-value systems.\n\n       The ITIM Framework states that an agency should know how\nwell investments in information management and technology are\ncontributing to improvements in mission performance. Improving the\nportfolio\xe2\x80\x99s performance is, at the level of the investment portfolio, the\nequivalent of Stage 3\xe2\x80\x99s post-implementation reviews for an\ninvestment. At Stage 4, an agency determines how well a portfolio of\nIT investments is: 1) helping to achieve the strategic needs of the\nenterprise, 2) satisfying the needs of business units and users with IT\nproducts and services, and 3) improving IT business performance for\nusers and for the enterprise as a whole. To make these\ndeterminations, an agency\xe2\x80\x99s entire portfolio of investments should be\ncompiled and analyzed, and investment trends examined. To perform\nthe analysis of the entire portfolio, an agency may use the information\ncompiled from the post-implementation reviews, the IT investment\nboards\xe2\x80\x99 experiences, and the results to date for major investments.\n\n       Also at Stage 4, the agency enhances its ability to forecast, plan,\nand manage the migration to new system investments. At this stage,\nthe target EA and transition plan can be useful guides in evaluating\nwhich investments should be phased out and which ones the agency\nshould retain. According to the ITIM Framework, Stage 4 maturity is\nsignificant because some IT investments can outlive their usefulness\nand yet consume resources that outweigh the IT investments\xe2\x80\x99 benefits\nto the agency.\n\n      The DEA stated in its self-assessment that it has not yet\nimplemented any of the key practices for Stage 4 maturity. In\naddition, in order for the DEA to consider Stage 4 maturity it must\nimplement all key practices in Stage 3.\n\nAttaining Stage 5 Maturity\n\n       According to the ITIM Framework, at Stage 5 an agency is using\nits IT investment capabilities both to anticipate the effects of\n\n                                  - 71 -\n\x0cnext-generation information technologies and to significantly drive\nstrategic business transformation. As an agency\xe2\x80\x99s capability to run\neffective management processes to constantly select, control, and\nevaluate IT investments matures, the agency can more effectively\nexamine how best to institute major business transformations to better\nachieve its missions. These major business transformations will\ninclude fundamental changes to how the agency applies new\ninformation technologies to support changes in customer interaction\nand service delivery processes.\n\n      For the DEA to attain Stage 5 maturity it must: 1) attain\nStage 4 maturity by implementing all key practices within Stages 3\nand 4, 2) optimize the investment process by ensuring that best\npractices of other organizations are captured and incorporated into the\nDEA\xe2\x80\x99s IT investment process, and 3) use IT to strategically transform\nwork processes and explore new and more effective ways of executing\nthe DEA\xe2\x80\x99s mission.\n\nConclusion\n\n       The DEA is making progress toward implementing a process to\neffectively manage its IT investments. The DEA has attained Stage 2\nof the five maturity stages outlined in the ITIM Framework by: 1)\nestablishing IT investment boards and defining the membership,\nguiding policies, operations, roles responsibilities, and authorities for\neach board; 2) developing business cases that identify key executive\nsponsors and business customers or end-users and the business needs\nthat the IT project will support; 3) defining a process that is used to\nselect new IT project proposals and reselect ongoing projects; 4)\nproviding investment oversight by monitoring projects regarding cost\nand schedule expectations as well as anticipated benefits and risk; and\n5) capturing the investment information necessary for executive\ndecision-makers to make informed decisions about the DEA\xe2\x80\x99s IT\ninvestments.\n\n      The DEA has made progress toward attaining Stage 3 maturity\nof the ITIM Framework, by completing 9 of the 27 necessary key\npractices. Specifically, the DEA has defined the policies and\nprocedures to be used in the portfolio selection process, established\nresponsibility for criteria development, and has made the investment\nboards aware of the established criteria. To attain Stage 3 maturity,\nthe DEA must: 1) obtain and utilize a system to effectively capture\ninvestment information for projects, and 2) provide training to\ninvestment boards\xe2\x80\x99 members on the evaluation criteria for IT\ninvestments.\n\n                                 - 72 -\n\x0c      To attain Stage 4 and 5 maturity as described by the ITIM\nFramework, the DEA must: 1) evaluate the performance of the\nportfolio and use the information gained from the evaluation to\nimprove both current IT investment processes and the future\nperformance of the investment portfolio, 2) manage the succession of\ninformation systems by replacing low-value systems with higher-value\nsystems, 3) optimize the investment process by ensuring that best\npractices of other organizations are captured and incorporated within\nthe DEA\xe2\x80\x99s IT investment process, and 4) use IT to strategically\ntransform work processes and explore new and more effective ways of\nexecuting the DEA\xe2\x80\x99s mission.\n\nRecommendations\n     We recommend that the DEA:\n\n6.   train members of the investment boards on the criteria for\n     evaluating IT investments; and\n\n7.   establish a schedule for completing Stages 3 through 5 of the\n     ITIM process to control and evaluate the DEA\xe2\x80\x99s IT investments.\n\n\n\n\n                                - 73 -\n\x0c            STATEMENT ON COMPLIANCE WITH\n                LAWS AND REGULATIONS\n\n      We have audited the DEA\xe2\x80\x99s management of Enterprise\nArchitecture and IT investments. The audit was conducted in\naccordance with Government Auditing Standards. As required by the\nstandards, we reviewed management processes and records to obtain\nreasonable assurance about the DEA\xe2\x80\x99s compliance with laws and\nregulations that, if not complied with, in our judgment, could have a\nmaterial effect on DEA operations. Compliance with laws and\nregulations applicable to the DEA\xe2\x80\x99s handling of Enterprise Architecture\nand IT investments is the responsibility of the DEA\xe2\x80\x99s management.\n\n      Our audit included examining, on a test basis, evidence about\nlaws and regulations. The specific laws and regulations against which\nwe conducted our tests are contained in the relevant portions of the\nClinger-Cohen Act of 1996 and OMB Circular A-11, Section 300.\n\n      The Clinger-Cohen Act of 1996:\n\n      \xe2\x80\xa2     as applied to the Enterprise Architecture, requires the CIOs\n            for major departments and agencies to develop, maintain,\n            and facilitate the implementation of architectures as a\n            means of integrating business processes and agency goals\n            with IT; and\n\n      \xe2\x80\xa2     as applied to the management of IT investments, defines\n            requirements for capital planning and control of IT\n            investments and mandates a select/control/evaluate\n            approach that federal agencies must follow.\n\n      OMB Circular A-11, Section 300:\n\n      \xe2\x80\xa2     as applied to IT investment management, establishes the\n            criteria for completing Exhibits 300, which is the format\n            used to represent the purpose for the proposed investment\n            to agency management and the OMB.\n\n      Except for those issues cited in the Finding and\nRecommendations section of our report, our tests indicated that for\nthose items reviewed, the DEA\xe2\x80\x99s management complied with the laws\nand regulations referred to above. With respect to those items not\ntested, nothing came to our attention that caused us to believe that\nthe DEA\xe2\x80\x99s management did not comply with the laws and regulations\ncited above.\n\n                                 - 74 -\n\x0c         STATEMENT ON MANAGEMENT CONTROLS\n\n\n       In planning and performing our audit of the DEA\xe2\x80\x99s management\nof its EA and IT investments, we considered the DEA\xe2\x80\x99s management\ncontrols for the purpose of determining our audit procedures. This\nevaluation was not made for the purpose of providing assurance on\nthe management control structure as a whole; however, we noted\ncertain matters that we consider to be reportable conditions under\nGovernment Auditing Standards.\n\n       Reportable conditions involve matters coming to our attention\nrelating to significant deficiencies in the design or operation of the\nmanagement control structure that, in our judgment, could adversely\naffect the DEA\xe2\x80\x99s ability to manage its EA and IT investments. During\nour audit, we identified the following management control concerns.\n\n     \xe2\x80\xa2   The DEA has not yet completed an EA to drive its IT\n         investments.\n\n     \xe2\x80\xa2   The DEA has not yet implemented the control and evaluate\n         processes necessary to complete its IT investment capability.\n\n      Because we are not expressing an opinion on the DEA\xe2\x80\x99s\nmanagement control structure as a whole, this statement is intended\nsolely for the information and use of the DEA in managing its EA and\nIT investments. This restriction is not intended to limit the distribution\nof this report, which is a matter of public record.\n\n\n\n\n                                  - 75 -\n\x0c                                                         APPENDIX 1\n\n\n        OBJECTIVES, SCOPE, AND METHODOLOGY\n\nObjectives\n\n       The objectives of the audit were to: 1) determine if the DEA was\neffectively managing its Enterprise Architecture; and 2) determine if\nthe DEA was effectively managing its IT investments.\n\nScope and Methodology\n\n      The audit was performed in accordance with Government\nAuditing Standards, and included tests and procedures necessary to\naccomplish the audit objectives. We conducted work at the DEA\nHeadquarters in Arlington, Virginia.\n\n      To perform our audit, we conducted approximately 17 interviews\nwith 9 officials from the DEA, DOJ, GAO, and Bearing Point \xe2\x80\x93 the\ncontractor being used to complete DEA EA. Additionally, we reviewed\nover 90 documents related to EA and IT management policies and\nprocedures, project management guidance, strategic plans, IT project\nproposals, budget documentation, organizational structures,\ninvestment board minutes, and prior GAO reports.\n\n      To determine whether the DEA is effectively managing its EA, we\nused the GAO\xe2\x80\x99s EA Management Framework as criteria. As part of our\nassessment of the DEA\xe2\x80\x99s EA, the DEA completed a survey developed\nby the GAO to identify which of the core elements in the EA\nManagement Framework were implemented. We reviewed the survey\nand obtained supporting documentation for the core elements that the\nDEA said were implemented. We did not test or review documentation\nfor the core elements that the DEA considered not implemented or\npartially implemented. We did not perform an independent analysis of\nthe DEA\xe2\x80\x99s current EA to determine if all business areas and IT systems\nwere listed. We made an assumption that the DEA\xe2\x80\x99s current\narchitecture represented the DEA\xe2\x80\x99s existing IT infrastructure.\n\n      To determine whether the DEA is effectively managing its IT\ninvestments, we applied the GAO\xe2\x80\x99s ITIM Framework and the associated\nassessment method. As part of the Framework\xe2\x80\x99s assessment method,\n\n\n\n                                - 76 -\n\x0cthe DEA completed a self-assessment of its IT investment\nmanagement activities. In addition to the self-assessment, the DEA\nprovided documentation; for example, polices and procedures,\ntemplates, program managers\xe2\x80\x99 presentations, meeting minutes, and\ntraining agenda and information, to support its claims within the\nself-assessment. We examined the documentation provided to\ndetermine if the DEA implemented the key practices within the critical\nprocesses. We did not review documentation for the key practices in\nthe self-assessment that the DEA considered not implemented or\npartially implemented.\n\n\n\n\n                                - 77 -\n\x0c                                                  APPENDIX 2\n\n\n                   ACRONYMS\n\nCFO     Chief Financial Officer\n\nCIO     Chief Information Officer\n\nCMM     Capability Maturity Model\n\nDEA     Drug Enforcement Administration\n\nDOJ     Department of Justice\n\nEA      Enterprise Architecture\n\nFEAF    Federal Enterprise Architecture Framework\n\nGAO     Government Accountability Office\n\nIT      Information Technology\n\nITIM    Information Technology Investment Management\n\nITIPS   Information Technology Investment Portfolio System\n\nJMD     Justice Management Division\n\nOCIO    Office of the Chief Information Officer\n\nOIG     Office of the Inspector General\n\nOMB     Office of Management and Budget\n\nPMP     Project Management Plan\n\n\n\n\n                       - 78 -\n\x0c                                                          APPENDIX 3\n\n\n                THE THREE COMPONENTS OF\n                    THE ITIM PROCESS\n\n\n\n     Select\n\n      Within the \xe2\x80\x9cselect\xe2\x80\x9d component of the capital planning and\ninvestment control process, an agency is to:\n\n     1. evaluate each investment to determine whether the\n        investment will support core mission functions,\n\n     2. demonstrate a projected return on the investment that is\n        clearly equal to or better than alternative uses of available\n        public resources,\n\n     3. prepare and update a benefit-cost analysis for each\n        information system throughout its life cycle,\n\n     4. prepare and maintain a portfolio of major information\n        systems,\n\n     5. ensure consistency with the agency\xe2\x80\x99s EA,\n\n     6. establish oversight mechanisms to ensure continuing security\n        and availability of systems and their data, and\n\n     7. ensure that improvements to existing information systems\n        and the development of planned information systems do not\n        necessarily duplicate IT capabilities within the same agency.\n\n     Control\n\n      Within the \xe2\x80\x9ccontrol\xe2\x80\x9d component of the capital planning and\ninvestment control process, an agency is to:\n\n     1. institute performance measures and management processes\n        that monitor actual performance compared to expected\n        results,\n\n\n\n                                - 79 -\n\x0c      2. establish oversight mechanisms that require periodic review\n         of information systems to determine whether the information\n         systems continue to fulfill ongoing and anticipated mission\n         requirements,\n\n      3. ensure that major information systems proceed in a timely\n         fashion toward agreed-upon milestones,\n\n      4. prepare and update a strategy that identifies and mitigates\n         risks associated with each information system, and\n\n      5. ensure that agency EA procedures are being followed.\n\n     Evaluate\n\n      Within the \xe2\x80\x9cevaluate\xe2\x80\x9d component of the capital planning and\ninvestment control process, an agency is to:\n\n      1. conduct post-implementation reviews of information systems\n         and information resource management processes to validate\n         estimated benefits and costs and to document effective\n         management practices for broader use;\n\n      2. evaluate systems to ensure positive return on investment and\n         to decide whether continuation, modification, or termination\n         of the systems is necessary to meet agency mission\n         requirements;\n\n      3. document lessons learned from the post-implementation\n         reviews;\n\n      4. reassess an investment\xe2\x80\x99s technical compliance and\n         compliance with EA; and\n\n      5. update the EA and IT capital planning processes as needed.\n\n\n\n\nSource: The Office of Management and Budget.\n\n\n\n\n                                    - 80 -\n\x0c                                                                                                                     APPENDIX 4\n\n\n            Summary of the EA Management Framework\xe2\x80\x99s Maturity Stages,\n                  Critical Success Attributes, and Core Elements\n\n                                                                                                                     Stage 5:\n\n                                                                                      Stage 4:                       Leveraging\n                                                            Stage 3:                  Completing EA products         the EA to manage\n                                                            Developing EA\n                                Stage 2:                    products                                                 change\n                  Stage 1:      Building the EA\n                  Creating EA   management\n                  awareness     foundation\nAttribute 1:                    Adequate resources          Written and approved      Written and approved           Written and approved\nDemonstrates                    exist.                      organization policy       organization policy exists     organization policy\ncommitment                      Committee or group          exists for EA             for EA maintenance.            exists for IT\n                                representing the            development.                                             investment\n                                enterprise is responsible                                                            compliance with EA.\n                                for directing,\n                                overseeing, or approving\n                                EA.\nAttribute 2:                    Program office              EA products are under     EA products and                Process exists to\nProvides                        responsible for EA          configuration             management processes           formally manage EA\n                                development and             management.               undergo independent            change.\ncapability to\n                                maintenance exists.                                   verification and validation.   EA is integral\nmeet                            EA is being developed                                                                component of IT\ncommitment                      using a framework,                                                                   investment\n                                methodology, and                                                                     management process.\n                                automated tool.\nAttribute 3:                    EA plans call for           EA products describe      EA products describe both      EA products are\nDemonstrates                    describing both the \xe2\x80\x9cas     or will describe both     the \xe2\x80\x9cas is\xe2\x80\x9d and the \xe2\x80\x9cto-be\xe2\x80\x9d    periodically updated.\n                                is\xe2\x80\x9d and the \xe2\x80\x9cto-be\xe2\x80\x9d         the \xe2\x80\x9cas is\xe2\x80\x9d and the       environments of                IT investments\nsatisfaction of\n                                environments of the         \xe2\x80\x9cto-be\xe2\x80\x9d environments      enterprise, as well as a       comply with EA.\ncommitment                      enterprise, as well as a    of enterprise, as well    sequencing plan for            Organization head has\n                                sequencing plan for         as a sequencing plan      transitioning from the \xe2\x80\x9cas     approved current\n                                transitioning from the      for transitioning from    is\xe2\x80\x9d to the \xe2\x80\x9cto-be\xe2\x80\x9d.            version of EA.\n                                \xe2\x80\x9cas is\xe2\x80\x9d to the \xe2\x80\x9cto-be\xe2\x80\x9d.     the \xe2\x80\x9cas is\xe2\x80\x9d to the \xe2\x80\x9cto-   Both the \xe2\x80\x9cas is\xe2\x80\x9d and the\n                                EA plans call for           be\xe2\x80\x9d.                      \xe2\x80\x9cto-be\xe2\x80\x9d environments are\n                                describing both the \xe2\x80\x9cas     Both the \xe2\x80\x9cas is\xe2\x80\x9d and      described in terms of\n                                is\xe2\x80\x9d and the \xe2\x80\x9cto-be\xe2\x80\x9d         the \xe2\x80\x9cto-be\xe2\x80\x9d               business, performance,\n                                environments in terms       environments are          information/data,\n                                of business,                described or will be      application/service, and\n                                performance,                described in terms of     technology.\n                                information/data,           business,                 Business, performance,\n                                application/service, and    performance,              information/data,\n                                technology descriptions     information/data,         application/service, and\n                                to address security.        application/service,      technology descriptions\n                                                            and technology.           address security.\n                                                            Business,                 Organization CIO has\n                                                            performance,              approved current version\n                                                            information/data,         of EA.\n                                                            application/service,      Committee or group\n                                                            and technology            representing the enterprise\n                                                            descriptions address      or the investment review\n                                                            or will address           board has approved\n                                                            security.                 current version of EA.\nAttribute 4:                    Ea plans call for           Progress against EA       Quality of EA products is      Return on EA\nVerifies                        developing metrics for      plans is measured         measured and reported.         investment is\nsatisfaction of                 measuring EA progress,      and reported.                                            measured and\n                                quality, compliance, and                                                             reported.\ncommitment                      return on investment.                                                                Compliance with EA is\n                                                                                                                     measured and\n                                                                                                                     reported.\n\n\n                                                       Maturation\n\n\n           Source: The U.S. Government Accountability Office.\n\n\n\n\n                                                                  - 81 -\n\x0c                                                                   DEA\xe2\x80\x99S IT MANAGEMENT PROGRAM\n\n\n                                                                                                          DEA IT\n                                                                                                       MANAGEMENT\n                                                                                                        PROGRAM\n\n        STRATEGIC                                                                                                                                            Performance Plan Report\n                                                                                                                                                                              Report\n        PLANNING                             Strategic\n                                         Strategic     Plan/Goals\n                                                   Plan/Goals                                 Performance Plan / Measures (Capital Plan)\n                                                                                                                                                                (EVMS Summary)\n        BUDGET                                     Base/Prelim.\n                                                   Base /Prelim. Funding                             Development/Capital\n                                                                                                     Development/ Capital Funding                                  O&MFunding\n                                                                                                                                                                   O&M\n\n       PROCUREMENT                            Studies/Analyses\n                                              Studies/ Analyses Contracts                    Integration/Development\n                                                                                             Integration/Development Contracts\n                                                                                                                      Contracts                               Support/Maintenance\n                                                                                                                                                              Support/Maintenance\n                                                                                                                                                                     Contracts\n                                                                                                                                                                     Contracts\n       IT                                          Select                                                                                                              Evaluate\n                                                                                                                                                                       Evaluat\n       INVESTMENT                                                                                             Control\n                                                 - Pla\n                                                   Plan                                          - Operate - Acquire - Monitor       - Deploy\n                                                                                                                                       Deploy                  - Review     - Modify\n       MGMT (ITIM)                      C                                                                                                                        Assess\n                                                                                                                                                               - Asses      - Phase -out\n                                                                                                                                                                              Phase-ou\n                                                 - Justify\n                                                   Justif\n                                        TI\n                                        V                                                         Quality Management Program\n       QUALITY\n\n\n\n\n                                                                                                                                                                                           DATA COLLECTION AND METRICS\n                                                                                                                                                    Customer Satisfaction\n-82-\n\n\n\n\n       MANAGEMENT                             Standards Compliance             Product Quality        Process Quality CMM                            System Performance\n                       BUSINESS GOALS\n\n\n\n\n                                                                                   Metrics Management(Cost, Schedule, Quality, Performance)\n        IT SECURITY                          Facilitated Risk Assessment              S\n                                                                                      Security Test and Evaluation (ST&E)                       Certification & Accreditation\n                                                  Process (FRAP)\n       SYSTEM                                                                               RATIONAL UNIFIED PROCESS\n       DEVELOPMENT                           Inception\n                                             Inceptio              Elaboration\n                                                                   Elaboratio                    Construction\n                                                                                                 Constructio                                           Transition\n                                                                                                                                                       Transitio\n       LIFE CYCLE                              - Concept            - Project Planning            - Software Requirements             - Independent               - Operations\n       (SDLC)                                    Alternatives       - Budget Development          - System\n                                                                                                    SystemDesign                        Testing                   - Maintenance\n       [PROGRAM                                - Cost Benefit       - Performance Measures        - Coding\n                                                                                                    Codin                               (IV&V, I&P,               - Retire/Dispose/\n       MANAGEMENT]                             - ROI                - Functional Requirements     - System Testing                      Acceptance)                 Replace\n                                                 Risk\n                                               - Ris                                                                                  - Deploy\n       ENTERPRISE                                Business            Component Data                    Component Applications       Component Technology Component Architecture\n       ARCHITECTURE                            Architecture           Architecture                         Architecture                   Architecture            Assessment\n                                             Develop/Update Training Materials                   Present Training                                Evaluate Training Effectiveness\n       PROCESS TOOLS                                         Intranet, Webster, MicroSoft Office suite, MicroSoft Project, processMax, CostXpert , RITS, SIMS, Rational\n\n\n\n\n                                                                                                                                                                                                                         APPENDIX 5\n                                        Source: The Drug Enforcement Administration.\n\x0c                                                        The Drug Enforcement Administration\n                                                               ORGANIZATION CHART\n\n\n                                                                           ADMINISTRATOR\n\n\n                                                       Office of Chief Counsel       Office of Congressional\n                                                                                        and Public Affairs\n\n\n\n                                                           Exec. Policy &             Administrative Law\n                                                         Stragegic Planning                Judges\n                                                               Staff\n\n\n\n         Human Resources         Operations Division    Intelligence Division       Financial Management          Operational Support       Inspection Division\n               Division          Chief of Operations    Assistant Administror              Division                     Division              Chief Inspector\n       Assistant Administrator                                                      Chief Financial Officer    Assistant Administor (CIO)\n\n\n\n            Career Board         Office of Domestic       Office of Strategic                Office of                Office of                  Office of\n-83-\n\n\n\n\n                                     Operations              Intelligence                   Acquisition             Administration             Inspections\n                                                                                           Management\n\n\n\n        Board of Professional    Office of Diversion    Office of International        Office of Finance               Office of                 Office of\n              Conduct                  Control               Intelligence                                        Information Systems           Professional\n                                                                                                                                              Responsibility\n\n\n\n         Equal Employment             Office of            Office of Special          Office of Resource           Office of Forensic       Office of Security\n          Opportunity Staff         International            Intelligence               Management                      Sciences                Programs\n                                     Operations\n\n\n\n        Offfice of Personnel          Office of                 Office of                                              Office of\n                                     Operations          Intelligence Policy &                                       Investigative\n                                    Management               Management                                               Technology\n\n\n\n          Office of Training     Special Operations             El Paso\n                                      Division           Intelligence Center\n\n\n\n                                  Aviation Division\n\n\n\n\n                                                                                                                                                                  APPENDIX 6\n                Source: The Drug Enforcement Administration.\n\x0c                                                                        APPENDIX 7\n\n\n                                DEA PROGRESS THROUGH STAGE 3\n                               OF THE EA MANAGEMENT FRAMEWORK\n\n                         Core Elements                               Status\n                                                                             Not\n                                                             Implemented Implemented\nSTAGE 2\nCritical Attribute #1: Demonstrates Commitment\nCore Elements\nAdequate Resources                                               9\nEA Governing Committees                                          9\nCritical Attribute #2: Capability to Meet Commitment\n\n         Core Elements\nEA Program Office                                                9\nAppointment of Chief Architect                                   9\nEA Development                                                   9\nCritical Attribute #3: Demonstrates Satisfaction of\nCommitment\n\n         Core Elements\nEA Program Plan Development                                      9\nSecurity                                                         9\nCritical Attribute #4: Verifies Satisfaction of Commitment\n\n         Core Elements\nEA Progress Measurement                                                       9\nSTAGE 3\nCritical Process #1: Defining the Portfolio Criteria\n         Key Practices\nDocumented Policies and Procedures                               9\nCriteria Development Responsibility                              9\nAdequate Resources                                                            9\nWorking Group Responsibility                                     9\nPortfolio Selection Criteria                                     9\nSelection Criteria Awareness                                     9\nSelection Criteria Review                                                     9\n\n                                               - 84 -\n\n     -\n\x0c                          Core Elements                               Status\n                                                                              Not\n                                                              Implemented Implemented\n\n        Critical Process #2: Creating the Portfolio\n        Key Practices\nPolicies, Procedures, and Processes                               9\nAdequate Resources                                                9\nBoard Members\xe2\x80\x99 Knowledge                                          9\nExpectation and Performance comparison                                         9\nNew and Ongoing Investment Examination                                         9\nPerformance Expectation Modification                                           9\nArchiving Used Information                                                     9\nCritical Process #3: Evaluating the Portfolio\n        Key Practices\nPolicies and Procedures                                                        9\nAdequate Resources                                                             9\nBoard\xe2\x80\x99s Knowledge of Evaluation Criteria                                       9\nBoard Review Provision                                                         9\nAssessment Criteria Development                                   9\nPerformance Measurement Data and Criteria                                      9\nInvestment Adjustments                                                         9\nCritical Process #4: Conducting Post-Implementation Reviews\n        Key Practices\nDocumented policies and procedures                                             9\nResource adequacy                                                              9\nInvestment board knowledge                                                     9\nInvestment board identification                                                9\nData use and collection                                                        9\nInvestment board assessment                                                    9\n    Source: Office of the Inspector General.\n\n\n\n\n                                                 - 85 -\n\n    -\n\x0c                             FEDERAL ENTERPRISE ARCHITECTURE FRAMEWORK\n    - 86 \xe2\x80\x93\n\n\n\n\n                                                                         APPENDIX 8\n             Source: The Drug Enforcement Administration.\n\n\n\n\n-\n\x0c                                                                                APPENDIX 9\n\n\n                                  DEA PROGRESS THROUGH STAGE 3\n                                      OF THE ITIM FRAMEWORK\n\nKey Practices                                                          Status\n                                                                                  Not\n                                                                  Implemented Implemented\nSTAGE 2\nCritical Process #1: Instituting the Investment Board\nKey practices\nInvestment Boards                                                     9\nIT Investment Process                                                 9\nAdequate Resources                                                    9\nCompetence                                                            9\nAvoiding Duplication of Gaps                                          9\nOversight Responsibilities                                            9\nControls                                                              9\nCritical Process #2: Identifying Business Needs for IT Projects\n\n       Key Practices\nPolicies and Procedures                                               9\nBusiness Mission                                                      9\nIdentifying Business Needs                                            9\nSpecific User Identification                                          9\nEnd-Users Participation                                               9\nInvestment Board Evaluation                                           9\nCritical Process #3: Selecting An Investment\n\n       Key Practices\nPolicies and Procedures                                               9\nAdequate Resources                                                    9\nCriteria                                                              9\nOrganizational Objectives                                             9\nSelection Process                                                     9\nReselection Process                                                   9\nFunding vs. Selection Decisions                                       9\n\n\n\n                                                - 87 -\n\x0cKey Practices                                                    Status\n                                                                            Not\n                                                            Implemented Implemented\n\n      Critical Process #4: Providing Investment Oversight\n\n      Key Practices\nPolicies and Procedures                                         9\nAdequate Resources                                              9\nProject Management Plans                                        9\nActual Performance Data                                         9\nPerformance Reviews                                             9\nCritical Process #5: Capturing Investment Information\n      Key Practices\nInformation Collection                                          9\nInformation Accessibility                                       9\nMaintaining the Information Repository                          9\nSTAGE 3\nCritical Process #1: Defining the Portfolio Criteria\n      Key Practices\nDocumented Policies and Procedures                              9\nCriteria Development Responsibility                             9\nAdequate Resources                                                          9\nWorking Group Responsibility                                    9\nPortfolio Selection Criteria                                    9\nSelection Criteria Awareness                                    9\nSelection Criteria Review                                                   9\nCritical Process #2: Creating the Portfolio\n      Key Practices\nPolicies, Procedures, and Processes                             9\nAdequate Resources                                              9\nBoard Members\xe2\x80\x99 Knowledge                                        9\nExpectation and Performance comparison                                      9\nNew and Ongoing Investment Examination                                      9\nPerformance Expectation Modification                                        9\nArchiving Used Information                                                  9\n\n\n\n                                                  - 88 -\n\x0cKey Practices                                                      Status\n                                                                              Not\n                                                              Implemented Implemented\n\nCritical Process #3: Evaluating the Portfolio\n      Key Practices\nPolicies and Procedures                                                       9\nAdequate Resources                                                            9\nBoard\xe2\x80\x99s Knowledge of Evaluation Criteria                                      9\nBoard Review Provision                                                        9\nAssessment Criteria Development                                   9\nPerformance Measurement Data and Criteria                                     9\nInvestment Adjustments                                                        9\nCritical Process #4: Conducting Post-Implementation Reviews\n      Key Practices\nDocumented policies and procedures                                            9\nResource adequacy                                                             9\nInvestment board knowledge                                                    9\nInvestment board identification                                               9\nData use and collection                                                       9\nInvestment board assessment                                                   9\n        Source: Office of the Inspector General.\n\n\n\n\n                                                   - 89 -\n\x0c         APPENDIX 10\n\n\n\n\n- 90 -\n\x0c- 91 -\n\x0c- 92 -\n\x0c- 93 -\n\x0c                                                               APPENDIX 11\n\n    OIG, AUDIT DIVISION ANALYSIS AND SUMMARY OF\n         ACTIONS NECESSARY TO CLOSE REPORT\n\n      We provided a draft audit report to the DEA for review and comment.\nThe response from the DEA is incorporated as Appendix 10 of this final\nreport. The DEA concurred with the recommendations resulting from the\naudit. Our analysis of the DEA\xe2\x80\x99s response to specific recommendations is\nprovided below.\n\nRecommendation Number:\n\n1. Resolved. This recommendation is resolved based on the DEA\xe2\x80\x99s plan to\n   determine its current Enterprise Architecture (EA) maturity level and\n   establish an EA Review Board that will apply the Government\n   Accountability Office\xe2\x80\x99s Maturity Model criteria and the metrics within the\n   model. This recommendation can be closed when we receive and review\n   documentation that the DEA is applying metrics to measure EA progress,\n   quality, compliance, and return on investment.\n\n2. Resolved. This recommendation is resolved based on the DEA\xe2\x80\x99s plan to\n   develop a charter, policy, plan, and maintenance process to keep the\n   DEA\xe2\x80\x99s EA aligned with the federal and the Department of Justice EA\n   framework and guidance. This recommendation can be closed when we\n   receive and review a copy of the policy for EA development and\n   maintenance that meets the requirements of the EA Management\n   Framework.\n\n3. Resolved. This recommendation is resolved based on the DEA\xe2\x80\x99s intent to\n   actively ensure that configuration controls are provided and obeyed. This\n   recommendation can be closed when we receive and review a copy of the\n   maintenance process that will ensure the completed EA undergoes\n   configuration management.\n\n4. Resolved. This recommendation is resolved based on the DEA\xe2\x80\x99s plan to\n   integrate security with EA so that all of the artifacts of the DEA\xe2\x80\x99s EA will\n   be aligned with security attributes and comply with the Federal\n   Information Security Management Act. This recommendation can be\n   closed when we receive and review documentation that the target\n   architecture addresses security as outlined in the EA Program Plan.\n\n5. Resolved. This recommendation is resolved based on the DEA\xe2\x80\x99s plan to\n   integrate the target EA with the Information Technology Investment\n   Management (ITIM) process to ensure that the DEA\xe2\x80\x99s information\n\n\n                                     - 94 -\n\x0c  technology investments are not duplicative, are well integrated, are cost\n  effective, and support the DEA mission. This recommendation can be\n  closed when we receive and review documentation that the remaining EA\n  stages are completed and implemented.\n\n6. Resolved. This recommendation is resolved based on the DEA\xe2\x80\x99s plan to\n   schedule an ITIM investment board meeting to focus on investment\n   management training, including process, evaluating, scoring, and EA.\n   This recommendation can be closed when we receive and review\n   documentation that the board members have received the planned\n   training.\n\n7. Resolved. This recommendation is resolved based on the DEA\xe2\x80\x99s\n   intention to review and update the ITIM transition plan based on current\n   activities, strategies, and plans. This recommendation can be closed\n   when we receive and review the DEA\xe2\x80\x99s schedule from completing Stages\n   3 through 5 of the ITIM process to control and evaluate the DEA\xe2\x80\x99s\n   information technology investments.\n\n\n\n\n                                   - 95 -\n\x0c"